Since 2015, a cybercrime gang has been launching phishing attacks exploiting Google’s advertising network to steal more than $50m worth of cryptocurrency. In a blog post, researchers from Talos, a division of Cisco, revealed how they worked alongside the Ukraine Cyberpolice to track the group responsible for six months,The campaign, dubbed CoinHoarder, has been hijacking Google AdWords for years, they found.
AdWords lets marketers pay to display content on Google’s popular online network. Advertisers bid on keywords that then appear as clickable results. In this campaign, Ukraine-based phishers were posing as cryptocurrency websites to the steal login details of users’ wallets. Often, Talos said, the top results for “blockchain” and “bitcoin wallet” led to the hackers’ sites.
The fraudulent domains would have slightly different spellings to real crypto platforms. Instead of blockchain.info the hackers would use blockchalna[.]info. The websites, which had hundreds of thousands of visitors, were hosted on servers based in European countries, including Ukraine.
Here is what the actual lander phishing site looked like. Note how similar and convincing it is compared to a real site, with the exception of the URL:
A team of Talos experts said in blog:
“These attacks can be nearly impossible to spot with the human eye, especially when delivered on a mobile platform,”
The experts said that attackers typically target victims in developing nations where, they noted, banking “can be more difficult” and English is not a first language.
“While working with Ukraine law enforcement, we were able to identify the attackers’ Bitcoin wallet addresses and thus, we could track their activity for the period of time between September and December 2017,”
“Based on our findings associated with this syndicate, we estimate the CoinHoarder group to have netted more than $50m over the past three years,”
Cryptocurrencies, primarily bitcoin, spiked in value during the last few months of 2017 and at one point a single coin was worth more than $19,000. As the mainstream adoption grew, the worth of the funds was also rising for the global cybercrime gangs involved in heists.
Talos researchers noted:
“What is clear from the CoinHoarder campaign is that cryptocurrency phishing via Google Adwords is a lucrative attack on users worldwide,”