Bitcoin’s price broke the $775 barrier on Friday, trading briefly at a $778.70 high not seen since early February, 2014, thanks in part to a rule written into its original code that’s sparked increased trading before it goes into effect next month.In the last month, the price of the digital currency has risen over 58 percent.Factors behind this jump include: Traders, economists and bankers are not alone in taking note of the recent Bitcoin frenzy, however; criminals staging phishing campaigns — malicious actors who’ve traditionally not made a habit of cherry-picking amongst your exploitable assets — have discovered that Bitcoin can provide an easier way to steal.Thus we were not to surprised when, on June 9, 2016, OpenDNS detected with our model NLPRank a new phishing attack on the domain blockchain-wallet[.]top targeting the cloud-based Bitcoin wallet company blockchain[.]info.First signs of this new campaign were noticed by security researchers from Cyren at the beginning June, when a phishing campaign utilizing the domain blocklchain[.]info as its web address began to spread using Google AdWords.

Then, on June 13, 2016, OpenDNS Labs detected blolkchain[.]com which was another phish on the same IP 89.248.171.88.When investigating the hosting IP more in depth, the additional domains below were discovered to be hosted on 89.248.171.88: blockchain spoofs, Pharma Spam and phishing domains are all over on this IP./), iCloud phishing (idmas-appleid[.]eu), more Bitcoin phishing sites, offshore banks (http://www.anonymousoffshorebank[.]com/), porn sites and even child modeling sites (which are illegal and should be taken down).Given this shady content, we blocked the entire IP Range for our customers and as a reference, we provide the list of domains on the 89.248.171.0/24 range.Were it not for the support of the same bulletproof or anonymous hosts in offshore jurisdictions who’ve historically provided infrastructure for bad actors, this current spate of Bitcoin wallet phishing would be without a launchpad.Case in point: 89.248.171.88 is hosted on AS29073, QUASINETWORKS, which actually used to be ECATEL [1][2][3].

ECATEL is a known Dutch hosting provider founded in 2005, registered in the UK, and headquartered in The Hague.It offers offshore hosting options and, over the last decade, has consistently hosted criminal and toxic content [4][5], and generated spam and DDoS traffic from its IP space [6].ECATEL is known to law enforcement, has been shut down by its peers at least once (in 2008) [7], and was subject in 2012 to DDoS attacks by Anonymous for hosting child porn [8].In December of 2015, ECATEL changed their network name [9], and since then, AS29073 is officially called QUASINETWORKS [10][11].More interestingly, ECATEL/QUASINETWORKS changed its registration from the Netherlands to the Seychelles, which is an offshore jurisdiction.This is a common evasive practice used by bulletproof hosting providers that we’ve observed for several years and covered at Infosecurity Europe, Hack.lu, Brucon, and RSA.Original registration details of ECATEL.Notice the The Hague, Netherlands address.Updated details of QUASINETWORKS.

Notice the Seychelles address.We further checked out the name servers of blolkchain[.]com, which are ns1.offshore-dns.net and ns2.offshore-dns.net: ns1.offshore-dns.net resolves to 80.82.70.10 and ns2.offshore-dns.net resolves to 93.174.91.42.bitcoin price usd averageBoth 80.82.70.10 and 93.174.91.42 belong to the same AS29073, ECATEL/QUASINETWORKS.bitcoin crashing todayBy simply checking hosted domains on these two IPs and related domains via Whois registration, we uncover 3 anonymous offshore hosting companies using ECATEL/QUASINETWORKS IP space.askreddit bitcoinIn fact, the 3 websites have very similar looks and themes, and offer identical server packages, which makes us believe they are all the same hosting company.bitcoin precio oro

Anonymous offshore hosting is not malicious per se; it can be useful for customers who are scrupulous about their privacy, anonymity and censorship-evasion.Unfortunately, these hosting infrastructures are abused to harbor criminal and toxic content.moj bitcoinWith the rise of Bitcoin technology, more and more attackers will be attempting to spoof these online wallets in order to steal credentials.bitcoin price index apiOpenDNS is at the forefront of detecting these types of new anomalies.bitcoin mining gpu amdBy pivoting on the identified malicious domains and leveraging OpenDNS data, we were able to identify at least 6 emails used to register domains for blockchain spoof campaigns.ethereum vs monero

Below is a selection of the emails in question, which have been and, as of this writing, are still being used to register more than 100 Bitcoin and blockchain phishing domains.Investigating IP space, name servers and Whois indicators sheds light on how frequently criminal actors recycle their infrastructures and resources, and makes evident just how heavily they rely on bulletproof offshore hosting providers to deliver their malware and phishing campaigns.dogecoin value all timeAs we can see, not only are Bitcoin wallets being targeted, but other services that accept Bitcoins become targets as well.Domain blokchain-wallet[.]info is impersonating the page of Nowell Associates Limited, a company specializing in tax returns and cloud accountancy that’s among the first accounting firms in England to accept Bitcoin and Litecoin as payment for accountancy, taxation, IT and data security services.Here we can see attacker’s spoofing another bitcoin management company localbitcoin[.]com on that same IP address: Bitcoin addresses are Base58Check-encoded, so they exclude potentially confusing characters such as 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols ‘+’ and ‘/,’”, which forces cybercriminals to come up with new schemas for typosquatting and phishing domains.

From these examples, it’s clear the attackers have a solid understanding of protection mechanisms used by Bitcoin addresses and are trying to defeat them.Additionally, our model NLPRank detected a large amount of new phishing activity with high accuracy (FQDN, Probability Score, Timestamp) this past weekend hosted on 91.218.247.37: One can see that there are also many other Bitcoin spoofing and sites on this IP, proof that attacking these online wallet’s for credentials is picking up steam, especially with the price of bitcoin going up recently.Furthermore, the range 91.218.247.0/24 is hosting more suspicious and toxic content such as fake merchandise and phishing, so we proactively blocked it.Our findings show that this is a new campaign, since most of these domains were registered on May 26, 2016, with new domains surfacing in our logs almost every day.As cryptocurrency technologies gain momentum, so too will a new set of security problems, so it’s imperative these online wallet companies deploy proper security methods to protect against this new wave of targeted phishing and typosquatting attacks.