Deceptive search engine ads used in Bitcoin wallet attacks

Fraudsters are exploiting loopholes in the presentation of ads by major search engines in order to lure victims to phishing sites. Searching for "blockchain", the name of a popular Bitcoin wallet provider, caused deceptive ads to be displayed at the top of search results pages from Google, Bing, Yahoo, and DuckDuckGo. In contrast to the traditional approach of sending emails indiscriminately, links to phishing sites in search engine ads may be much more convincing, especially when the domain they are impersonating is displayed as the destination.

With more than 1.7 million wallets, Blockchain.info is the most popular online Bitcoin wallet. Blockchain's My Wallet service allows users to send and receive payments in Bitcoins. When signing up, users are reminded that they must remember their passwords, as forgotten passwords cannot be recovered and will result in the loss of all Bitcoins stored in the wallet. These passwords are exactly what the fraudsters are after.

Phishing ads in Bing's search engine results. Screenshot taken on 19 June 2014 at 10:16 BST.

The above screenshot shows the results of searching for "blockchain" on Bing. The first link on the page is an ad, supposedly for the official Blockchain wallet service at Blockchain.info. However, clicking on this link actually takes victims to a phishing site under blockchaino.info (note the additional 'o' character).

Bing! There go your coins.

The phishing site at blockchaino.info immediately prompts a victim to enter his identifier and password, whereas the real Blockchain website only prompts for the user's identifier. Blockchain's security recommendations make it clear that the real Blockchain.info will never ask you for your password: "We NEVER need it and we NEVER want it". As soon as the fraudster has tricked the victim into giving up the required information, they "sweep the funds away".

This type of attack is likely to be extremely effective, as the ad displays the same domain name as the site it is targeting, and it is the first link to appear in the search engine results page. Some users may not realise that it is an ad, and instead believe that it is the top organic result. Showing the wrong display URL (green text) is forbidden by most ad networks' policies; however, the fraudsters have evidently managed to bypass these restrictions. Without strict enforcement, the ability to specify the displayed destination leaves such advertising open to fraud.

However, strict enforcement of destination URLs may alienate a search engine's customers — advertisers may use third-party services to manage their advertising and track clicks. These customers will rely on being able to display the final URL despite redirecting via a third-party service before reaching the target site. The use of redirects makes enforcement of any display policy difficult, as there is no guarantee that the target of the redirect will remain constant after the ad has been approved, or that the redirects presented to the search engine are the same as those presented to end users.

Another phishing site advertising at the top of Bing.

Other Bing ads directed victims to different Blockchain phishing sites, all of which used deceptive hostnames such as blockchain-info.itconflux.com, blockchain.info.pl and bllockchain.info.pl, but did not use the display domain of the site they were impersonating, blockchain.info.

It's not just Bing's search engine that has been affected by this phishing campaign. The search ads displayed at the top of Bing search results can appear anywhere on the Yahoo Bing Network. This means that the same fraudulent ads also appear when a victim searches for Blockchain on Yahoo.com. Similar phishing ads are also displayed on the DuckDuckGo search engine, which syndicates its sponsored links from the same network.

The same phishing ads appear on a Yahoo search for "blockchain".

And it is not just the Yahoo Bing ad network which is being exploited by phishers — search giant Google displayed the following phishing ad on its search results pages:

This Google phishing ad directed victims to blockchain-info.itconflux.com.

However, it's not necessarily game over if a victim's password has been stolen. If a Blockchain user has chosen to enable two-factor authentication via SMS, Yubikey or Google Authenticator, the fraudster will be unable to access the wallet at a later date unless he also has access to the victim's physical two factor authentication device (e.g. phone or Yubikey).

All of the sites involved in these attacks against Blockchain were blocked in Netcraft's phishing site feed, which allows third-party developers to integrate anti-phishing services into their products. Some of the domain names used in these attacks were very similar to the real blockchain.info domain. Netcraft's Fraud Detection service helps brand owners pre-emptively identify these types of fraudulent domain registrations, giving an opportunity to take action against the registrants, possibly before the attacks have even started.

Criminals launch mass phishing attacks against online dating sites

Criminals are running massive dedicated phishing campaigns against online dating sites, marking an interesting – but not unusual – shift in focus from the traditional phishing targets such as banks and other financial institutions. The most recent attack used a single compromised website to host hundreds of fraudulent PHP scripts, most of which were designed to steal usernames and passwords from users of the most popular dating sites.

The online dating sites targeted by the latest attack include match.com, Christian Mingle, POF (PlentyOfFish), eHarmony, Chemistry.com, SeniorPeopleMeet, Zoosk, Lavalife, amongst others. Only eight of the 862 fraudulent scripts on the server targeted banks.

It is likely that the criminals who steal accounts on these sites will go on to use them to commit online dating fraud — many dating sites only allow messages to be exchanged with other users after a subscription fee has been paid; by compromising existing paid accounts, the fraudsters can reduce their traceability by avoiding the need to make payments.

Part of one of the fraudulent scripts

Online dating fraud is often orchestrated by criminal gangs who use fake profiles to trick victims into developing long distance relationships. Once the fraudsters have gathered enough sympathy and trust from a victim, they will exploit this by claiming they need money to pay for travel costs, or to afford medical treatment for a family member. After the money has been stolen, the criminals will make up further reasons why they need more money. In some cases, the fraudsters blackmail their victim into sending money - if the victim has sent any explicit photos or videos to the criminals, they may threaten to send them to the victim's friends and family.

The amount of money involved in these scams can be considerable. In 2011, a woman in Britain was tricked into sending more than $59,000 to a pair of fraudsters who pretended to have inherited millions of dollars from a military friend in Nigeria. The fraudsters - who were actually a mother and daughter in America - managed to net more than a million dollars before being jailed in 2013.

While many online dating sites take measures to identify fake profiles, phishing for genuine established accounts gives fraudsters the edge. If a legitimate profile has been in active use for several months without cause for concern, then compromising this profile will allow the fraudster to benefit not just from the plausible appearance of the profile, but also take over several ongoing conversations. The real owner of the hijacked account will have already done the hard bit by establishing dialogues with other members on the site, possibly gaining enough trust to allow the fraudsters to strike immediately with success.

The latest attacks make use of a phishing kit which contains hundreds of PHP scripts, configured to send stolen credentials to more than 300 distinct email addresses. More than half of these addresses used the yahoo.com domain, while gmail.com was the next most common choice. Although most of the fraudster's scripts target online dating sites, some of them are also designed to steal credentials from users of these webmail platforms. Email accounts are often shut down after the provider notices they have been used for fraudulent purposes, so ensuring a fresh supply of compromised accounts gives fraudsters the opportunity to send even more phishing emails before the accounts get closed.

The phishing kit contains over 300 PHP scripts, most of which target online dating sites.

An attacker would typically deploy the phishing kit by uploading a zip file to a compromised web server and unzipping the tree of contents into a writable directory. Similar kits uploaded over the past few months have used various file names, such as moving.zip, send.zip, orokionline.zip, amioroki.zip and samoroki.zip. Each script within these kits is very similar in terms of functionality — they simply collate a set of POST parameters into the body of an email message, and then send it to two or more email addresses. The subject of the email is modified to describe what type of credentials are in the email (e.g. "MATCH ID & PASSWORD"), and after the emails have been sent, the victim is redirected to an appropriate URL on the target website, such as http://www.match.com/login/login.aspx?lid=2.

Each compromised server which hosts these scripts acts merely as a "dropsite" in the fraudsters' phishing campaigns. Rather than displaying any phishing content, the server simply accepts values that have been submitted from elsewhere, such as a form hosted on another website or within a phishing email. The victim is then immediately redirected to the legitimate website, most likely without realising that his credentials have just been transmitted to a different website.

Some of the scripts are also designed to steal credentials from Photobucket users, possibly so the fraudsters can host photos and other images to further their scams. It is not unusual for fraudsters to encourage their victims to migrate to instant messaging software or even text messages instead of continuing to chat on a dating site, which could be monitored to prevent such fraud.

National Crime Agency “urgent alert” site knocked offline

With only two weeks until the recently seized Gameover Zeus botnet is likely to be functioning again, the UK's National Crime Agency has published urgent advice on how to protect computers against the Gameover Zeus and CryptoLocker trojans.

Unfortunately, the page hosting this urgent advice is proving rather troublesome to view:

GetSafeOnline, Offline

When it can be viewed, the NCA's advice page at www.getsafeonline.org/nca/ outlines the threat and lists a set of tools which can be used to check for the presence of malware. The page also notes that the NCA "cannot over-stress the importance of taking these steps immediately" and "You must follow the advice on this page straight away".

With expectations of high traffic and the need for users to act immediately, it is surprising that this important information was not hosted on a platform which was capable of handling the load. Last night's tweet by @GetSafeOnline suggests that the performance issues are being caused by lots of traffic; there are no indications of an attack against the site.

Reverse DNS lookups for the www.getsafeonline.org hostname resolve to 170-203-253-62.static.virginm.net,
and the final hop in a traceroute is spc1-barn6-0-0-cust460.asfd.broadband.ntl.com

The FBI believes the Gameover Zeus trojan is responsible for more than one million computer infections, resulting in financial losses in the hundreds of millions of dollars. A Russian man believed to be involved in these attacks has been added to the FBI's Cyber's Most Wanted list.

The NCA announced the urgent alert on Facebook yesterday, prompting a stream of comments about the site not working

Since referring to the NCA's advice page in an article yesterday, the BBC's Dave Lee has mirrored the content on evernote so others can see it.

Ask.fm users being redirected to malware sites

Malicious adverts displayed on the Ask.fm website have been automatically redirecting users to malware sites, where they are prompted to install unwanted or malicious software under the pretense of Java and Flash Player updates.

This particular advert is benign and serves only as an example of the banner's placement

Ask.fm is a popular social network which allows its users to receive and answer anonymous questions, but both registered users and anonymous question askers are being put at risk by some of the adverts it displays: Merely viewing a user's profile on Ask.fm caused some users to be redirected to the following page, which claimed that an outdated Java plugin had been detected (even when Java had been disabled).

Rather than downloading a Java update, victims will instead end up installing a program which several anti-virus vendors identify as DomaIQ. This is an advertising platform used by adware and other malicious programs to display unwanted pop-up ads within Internet Explorer, Firefox and Google Chrome.

The rogue advert responsible for performing the redirection was initially served through ADTECH GmbH, which is a wholly-owned subsidiary of AOL. However, the trail does not end there – the framed content served by ADTECH subsequently requested several pages from AppNexus servers at ib.adnxs.com and ams1.ib.adnxs.com, before one of these pages initiated a request to a Java servlet on exchange.admailtiser.com. Finally, this servlet page caused the parent frame to be redirected from Ask.fm to the page on www.updriong.com, essentially taking the browser to a different website without requiring any user interaction.

After returning to the Ask.fm website, another rogue advert immediately redirected the browser to a fake Adobe Flash update site. Again, no user interaction was required – the chain of requests initiated by the third party advert automatically redirected the user's browser to the fake site hosted in Sweden.

In this case, the rogue advert on http://ask.fm/account/wall was again initially served by ADTECH, but the framed content made its next request to a Yahoo ad server (ads.yahoo.com), which in turn made a request to ad.copa-media.com, which itself made a request for content hosted on an AppNexus server at ams1.ib.adnxs.com.

Finally, a request to another AppNexus server at ib.adnxs.com resulted in the user's browser being redirected to the fake Adobe Flash update site at download.adoocobo.us. The setup.exe file is served from a domain which is known for propagating malware.

Mobile browsers have also been targeted by similar attacks on Ask.fm. The example below shows an Ask.fm webpage displaying an intrusive and unsolicited alert dialog which originates from a Yahoo ad server. If the user clicks OK, he will be taken to a site which falsely claims that his phone has severe battery issues.

Within a few minutes, another advert on Ask.fm attempted to download an Android app directly from a website in France as soon as the user clicked OK. The makers of the genuine Mobogenie Market app recommend that it should only be downloaded from reliable sources such as Google Play, mobogenie.com and other partner networks (although it does not specify who these are).

Incidentally, despite encouraging its users not to reveal their passwords to anyone, the login form on http://ask.fm transmits a user's password over an unencrypted HTTP connection:

Most high profile websites only ever transmit passwords over encrypted HTTPS connections, and many sites also ensure that the entire duration of a browser session remains encrypted, i.e. not just the login process. Sending plain text passwords over an unencrypted connection makes them vulnerable to eavesdropping, giving a correctly-positioned attacker the opportunity to gain unauthorised access to Ask.fm user accounts.

PayPal redirect exploited in Apple ID phishing attack

Fraudsters have exploited a redirection vulnerability in a PayPal website in an attempt to steal Apple IDs. Phishing emails sent by the fraudster were disguised as receipts from the iTunes Store for expensive items, enticing victims to try to cancel the fake orders.

The emails stated, "If you did not order the above products and suspect your account has been hijacked kindly visit the link below". The link was displayed with a legitimate-looking location (www.order.itunes.com/verify/cancel) but actually took victims to a URL on the PayPal communications website. The phishing email also noted, "You will be asked some specific questions about you and your financial data to prove you actually owned the account."

The page on PayPal's website at https://www.paypal-communication.com/r/4V2JION/PPPU5A/GDY6I8I/20PEVD/7ZS7MP/7M/h?a=http://192.185.##.###/~broo23yo/ immediately redirected victims to the Apple phishing site specified in its GET parameter, http://192.185.##.###/~broo23yo/. Parts of these addresses have been obfuscated, although the target of the redirect has since been suspended by its hosting company, HostGator, and the PayPal URL used in the phishing emails no longer redirects to the URL specified in the a parameter.

Fraudsters use redirection scripts on well-known and well-trusted websites in order to increase the success of their phishing campaigns. Some email clients block access to links that use IP addresses directly and, as such, would scupper the fraudster's efforts. Using a fully-qualified domain name eliminates this particular problem, and some operators of third-party blocking software might also assume that all PayPal domains can be trusted without exception, which may not always be true. Cautious users who hover over links before clicking on them will see that the disguised links in the phishing email actually go to a trusted PayPal website, which would not seem untoward.

PayPal's site at www.paypal-communication.com uses an extended validation (EV) SSL certificate, which demonstrates that an enhanced set of guidelines has been followed in order to verify the identity of the website's owner. Some browsers emphasise this additional level of verification by adding green cues to the address bar, so a visitor can be sure with reasonable certainty that this site does indeed belong to PayPal, Inc. In this case, however, the redirect was near-instantaneous, so potential victims would not have seen the additional EV browser cues.

Notably, the secondary purpose of extended validation certificates is to address problems relating to phishing, but this is not effective when a phishing attack exploits flaws on a legitimate website using an EV certificate. A somewhat-similar scenario has previously affected PayPal: a third-party website which used an EV certificate was compromised and used to host a PayPal phishing site in 2011.

Incidentally, encrypted traffic destined for www.paypal-communication.com could also be vulnerable to eavesdropping. This Apache-powered website offered the TLS heartbeat extension prior to the disclosure of the Heartbleed bug, so the private key for its SSL certificate could have been compromised. PayPal promptly reacted to this by switching to a new SSL certificate (issued on 14 April 2014), but crucially, the potentially-compromised certificate has not been revoked. PayPal's main site, www.paypal.com, is affected by the same problem: its pre-Heartbleed certificate has also not been revoked.

Failing to revoke the previous certificate means that if it has been compromised, correctly-positioned attackers could use it to impersonate the secure PayPal communication website until the certificate expires in April 2015. As the site used an EV certificate, revocation is all the more important and is often more effective than the checks made for standard certificates. Most major browsers will make OCSP requests for EV certificates and will not display the EV browser cues if the certificate has been revoked or if there is no positive verification of its current status, e.g. if the OCSP request was blocked by a man-in-the-middle attacker. Revoked EV certificates are also more likely to appear in Chrome's CRLSets, which are arguably the most effective form of revocation checking currently available.

POP! goes the phisher

Fraudsters are impersonating online banking websites in order to gain unauthorised access to customers' emails. Most online banking phishing sites simply try to steal whatever credentials are required to gain access to a victim's bank account, but by also gaining access to the victim's email account, the fraudster can prevent the victim from receiving any email alerts regarding account activity.

With access to the victim's emails, the fraudster could also potentially net a much larger haul. These emails will indicate to the fraudster which other banks, shops, social networks and other online services the victim uses. The fraudster can then attempt to compromise the victim's accounts on these services by initiating password resets, which will be sent to the email address he now has access to. In some cases, the fraudster will also be able to change the password of the victim's own email account, thus locking him out and making him unaware that further compromises are taking place.

The following phishing site targeted customers of Chase Bank earlier this month. Like many other phishing sites, it did a good job of looking like the real Chase Bank, although the address bar revealed that it was actually served from a hacked gift store.

Clicking on the Log In to Accounts button takes the victim to the following page, where he is told that a POP email service is required in order to continue. This is purportedly part of a verification measure, and the victim is prompted to enter his email address and email password so the site can log in to the victim's email account automatically.

POP (Post Office Protocol) is one of the most widely supported mail retrieval protocols, which lets an email client download email from a mail server. Many webmail providers (including Gmail, Outlook.com and Yahoo Mail) also allow mail to be retrieved via this protocol.

As soon as the victim clicks the Login button, he is taken to the real Chase Bank homepage which, unsurprisingly, looks rather similar to the original phishing site, albeit with the correct URL in the address bar.

At this point, the victim may simply assume he has to log in again after completing the previous verification step. If he does, he will be taken to his online banking account as expected. Meanwhile, the fraudster could well be helping himself to the victim's emails, starting the process of compromising each of the victim's other accounts one by one.

Chase Bank customers who have enrolled to receive Account Alerts can be notified of account activity via email. By deleting these emails, the fraudster might be able to prevent the victim from becoming aware of any fraudulent transactions until it is too late.

The phishing site used in this particular attack was one of the 8.5 million sites blocked by Netcraft's phishing site feed and has since been taken offline.