Cyren : Bitcoin Phishing Targets Users via Google AdWords

As we have pointed out several times, cybercrime is a business, and running a malware or phishing campaign does require some financial investment by the bad actors. Rental of botnets, purchase of exploit kits, and acquisition of compromised site lists are all expenses that need to be covered by the campaign.

A recent phishing attack detected by CYREN clearly shows this investment, as the attack vector is pay-per-click advertising via Google AdWords.

'blockchain' vs. 'bioklchain'

The Ad showed up in response to searches for 'blockchain' - a bitcoin related term. Close analysis of the advert shows that the link is actually to bioklchain.info - but at a casual glance the link appears to lead to the legitimate 'blockchain.info'. Interestingly, Bitcoin addresses are Base58Check encoded so they exclude potentially confusing characters such as 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols '+' and '/,''.

Google is aware that this sort of abuse of AdWords is possible and claim to have blocked 7,000 phishing sites that tried to use AdWords in 2015: http://adwords.blogspot.co.il/2016/01/how-we-fought-bad-ads-in-2015.html

Fake Login Page

Unwary victims who clicked on the link were led to the phishing page with only one working link - the 'login now' button - none of the other buttons are actually clickable.

Clicking on 'Login now' leads to a credential entry page that is quite similar to the 'legacy login' of the real site. This is the page where the actual phishing happens.

A similar attack from 2014 also used AdWords and also targeted blockchain searchers - suggesting that the current attack was the work of the same group.

Learn more about how to get protected against phishing attacks.