Another day, another Bitcoin scam – This time it abuses Google Ads service.
In December last year, HackRead.com exclusively exposed a scam in which hackers bought advertisement slots on Google Search Engine using Google’s very own Adwords (Google Ads) service. The search results would display Google Chrome browser download advertisement even before the official Chrome download store but in that case, the link on the ad slot took users onto a Google Sites link showing visitors the option to download Chrome browser, however, when the setup file was downloaded it turned out to be a malware.
This means the unknown hackers used Google Adwords and Google Sites to spread malware from Google search engine. Its detailed analysis is available here. Now, a similar scam has been busted by IT security researchers at Talos cybersecurity team in which a group of Ukranian hackers stole $50 million worth of cryptocurrency from users and investors at Blockchain.info, a Luxembourg based prominent Bitcoin cryptocurrency wallet and block explorer service provider.
The similarity between this scam and the previous one is that in both cases hackers bought advertisement slots using Google Adwords, meaning if a user searched for terms like “blockchain” or “bitcoin wallet,” the search results would display spoofed website carrying the exact same design as the original one. This tricked users into believing that they are on the official website and logged in with their credentials allowing hackers to access their wallets and steal cryptocurrency.
As shown in the screenshot below the official website of the company is Blockchain.info while the hackers used a spoofed domain with the URL Block-clain.info. Notice that the fake domain does not contain the letter “h” which clearly indicates that there is something wrong yet the group was able to trick customers and got away with a whopping $50 million in cryptocurrency.
“The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” wrote Jeremiah O’Connor of Cisco and security researcher Dave Maynor who worked on the report with Cisco.
It must be noted that the Coinhoarder group did not steal $50 million worth of cryptocurrency in one shot, in fact, Cisco has been investigating the phishing campaign for the last six month with the help of Ukranian law enforcement authorities. From September 2017 to December 2017, the group stole $10 million worth of cryptocurrency while in one of the attempt, Coinhoarder group was able to steal $2 million within 3.5 week period. The researchers were able to track one of the wallets used by hackers which showed it received $1,894,433.09.
One of the victims who fell for the scam has described his experience on Reddit and unfortunately, there is nothing that can be done to track the hackers since Bitcoin is pseudonymous and sending or receiving funds is like writing under a pseudonym. To avoid such scams Facebook has already banned cryptocurrency and ICO related advertisement campaigns.
“What is clear from the Coinhoarder campaign is that cryptocurrency phishing via Google Adwords is a lucrative attack on users worldwide. Phishers are significantly improving their attack techniques by moving to SSL and employing the use of IDNs to fool victims into handing over their credentials. We can expect to see more of these realistic looking phishes,” researchers concluded.
Remember, Coinhoarder is not the only group using sophisticated and persistent ways of targeting unsuspecting users. The Lazarus group is also trying its luck by posing as job recruitment firm and sending users malware infected Word documents which other than stealing personal data take wallet details and cryptocurrency with them.
If you are into cryptocurrency business stay safe online and do not fall for such scams. Moreover, it is advised not to store your funds in an online wallet. Here is a review of 5 safest hardware Bitcoin wallets.