Google AdWords and Free SSL certificates Take Bitcoin Phishing Game to a Whole New Level: $50 Million Stolen
1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...

Google AdWords and Free SSL certificates Take Bitcoin Phishing Game to a Whole New Level: $50 Million Stolen

Massive Bitcoin phishing scam shows the dark side of Free SSL certificates

Cisco and Ukrainian Cyberpolice have unearthed a massive Bitcoin phishing scam. It’s said that over $50 million (in Bitcoin) was stolen by Coinhoarder, the hacker group behind the scam. They were exceedingly clever about it, too. All of this was made possible by using free SSL certificates and Google AdWords.

The news first came out on Wednesday when Jeremiah O’Connor and Dave Maynor published a blog post on Talos’ official blog. Cisco, with the assistance of Ukrainian Cyberpolice, has been tracking this theft for over six months.

Here’s what happened

If you’re into Bitcoin trading or mining, you’d have heard of the website blockchain.info. And if you haven’t, let me tell you that it is one of the most popular providers of cryptocurrency wallets. To deceive blockchain.info users into giving their details, the group created similar websites with very little change in the domain name. These changes were made in such a way that it’d be pretty hard to notice them. The hackers used the domain names such as block-clain.info and blockchien.info. Let’s be honest and admit that most of us wouldn’t have been able to notice the difference in the domain name as long as the site appears like the original one. And you know what? Many didn’t.

Here’s a Reddit post from a user who seems to have fallen victim to this Bitcoin phishing scam:

First of all, the login confirmation email stated that there has been a login attempt from the IP address that now has appeared to be from brazil, so this means that this person has somehow already accessed my account, with the correct information (wallet ID and my password). It should be noted that this password is unique, and I have not used it at a different site, ever. How could this person have accessed my account with the correct information, minutes after I created it?

Second of all, how did I end up on f*cking bockcheian.info? I have never logged in anywhere else, except for the legit blockchain site.

I can’t seem to make any sense out of it, if anyone could offer some insight, would be much appreciated.

Edit: Also now when I am on bockcheian.info, my chrome prevents me from seeing the page, displaying a warning that this site is used for phishing. If only I would have gotten this warning an hour ago.

This person is just one of the many people who gave their wallet details on these spoofy sites and got their crypto-wallets stolen. It is estimated that $50 million (#Whoa) worth of Bitcoin has been stolen this way.

Here’s how the hackers (mis)used Google AdWords

Bitcoing phishingPut yourself in the hackers’ shoes for a minute and think how you could make the maximum number of blockchain.info users to click on your fake blockchien.info website. Well, how about getting your fake site on the first search result on Google for the keywords like ‘blockchain’ or ‘bitcoin wallet?’ Smart, right? Well, that’s precisely what the Coinhoarder group did. They placed their ads by purchasing particular keywords so that their site could appear on top of Google search results and thus, they can dupe maximum users.

I certainly don’t want to praise the hackers here (and no one should), but the simplicity with which they fooled users is remarkable, I must say. As a result, in February 2017, DNS queries for these fake cryptocurrency sites went as far as 200,000 per hour!

Phishing & Free SSL certificates: The Love affair continues

As web users keep getting more and more concerned regarding their security, they’ve become more adept at identifying fake websites from the real ones. And the first thing that they do is to check if there’s ‘Secure’ sign or a padlock in front of the URL. Without a shadow of a doubt, this is a good practice. But what most people don’t realize is that “Secure” doesn’t equal safe. There could be an imposter hiding behind the padlock icon. In recent times, with the rise of free SSL certificates, we’ve been seeing this a lot.

That’s because it’s so easy to get a free SSL certificate, anyone, I repeat, anyone could issue one for his/her domain. This has been a boon as well as a bane. Almost half of the websites on the internet are now encrypted, and a large part of the credit goes to these free certificate authorities. However, this opens up a can of worms for users and a window of opportunity for cyber-criminals.

To give you an example, my former colleague, Vince, found out that Let’s Encrypt, a free certificate authority, was issuing thousands of PayPal phishing certificates. He even appealed Let’s Encrypt to stop issuing certificates for the domains that have the word ‘PayPal’ in them. Sadly, nothing happened.

During this Bitcoin phishing campaign, to appear legitimate, hackers are migrating their sites from HTTP to HTTPS with the help of these free SSL certs. This is how it looks:

Bitcoin Phishing

Let’s admit, it would be pretty easy to fall for this.

Final Thoughts

The use of Google AdWords to dupe users makes this Bitcoin phishing scheme a unique one. However, this is not the first, nor the last time we’re seeing the dark side of free SSL certs. With Let’s Encrypt about to introduce Wildcard SSL certificates, we can expect an even bigger uptick in phishing attacks.

7 comments
  • It does not differ are certificates free or not. If scammers are ready to pay to google, they can pay to certificate issuer as well. And issures verify site same way. Send email to domain, require some token in DNS entry or put token into web page – it is similar process than let’s encrypt have, except there is one more step – paying.

    • Hey Ari,

      There is no arguing with the fact that the scammers can use paid certificates, and it has happened in the past. However, if you compare the sheer recurrences of such incidents, you’d find that the free certificates easily outweigh the paid ones. The reason is pretty obvious.

    • It should not be free certs but DV certificates in question as there is no vetting of who is requesting the certificate. EV validation prevents this type of attack as it has a much more strict validation procedure and has a more visual indicator that will list the company name in the browser. But improvements by the browsers need to be done to prevent this in the future as well and make a safer web. Update the UI in all browsers to one standard for HTTPS – https://casecurity.org/browser-ui-security-indicators/

  • be honest, it doesn’t relate to Let’s Encrypt or free SSL. Https simply means the message are encrypted and it’s secured. The visitor should understand the meaning of https (or chrome secured site) better.

    Personally, paid SSL or even OV ssl cannot avoid this situation except EV SSL. Personally I think more and more business will consider to use EV SSL if Chrome don’t block greenbar feature.

    • Hey Jack,

      You’ve raised a pretty valid point here. When it comes to HTTPS-enabled sites, most users wouldn’t be able to distinguish between a connection that’s just encrypted (free & DV) and a site that’s verified & encrypted (OV & EV). The Browsers need to come up with a way to educate users about this. Until then, using OV & EV seem to be the only option.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Jay Thakkar

After graduating from university with an engineering degree, Jay found his true passion as a writer…specifically, a cybersecurity writer. He’s now a Hashed Out staff writer covering encryption, privacy, cybersecurity best practices, and related topics.