Hackers Stole $50 Million in Cryptocurrency Using 'Poison' Google Ads

[alyssa85]

http://fortune.com/2018/02/14/bitcoin-cryptocurrency-blockchain-wallet-hack/

For years, hackers have robbed Bitcoin investors, emptying their cryptocurrency wallets without fear of being caught thanks to the relative anonymity of the blockchain. Now, Cisco (csco, +5.04%) has exposed the thieves behind a string of particularly flagrant attacks.

A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of Blockchain.info, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco’s Talos cybersecurity team.

The report explains how thieves preyed upon their victims using a “very simple” yet treacherous technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets.

For example, the poison ads included “spoofed” links with small types like “blokchien.info/wallet” and “block-clain.info,” which sent visitors to a landing page that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and blockchain.com. (The legitimate sites appeared lower in results than the “poisoned” links, according to Cisco’s report.)

Fooled into believing they had come to the right place, victims then entered private information that allowed the hackers to gain access to their actual wallets and take their digital money. “The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” the Talos team led by Jeremiah O’Connor and Dave Maynor said in their report.

Blockchain, for its part, is working with Google “on a daily basis” to take down phishing ads, and secured the removal of almost 10,000 such malicious websites last year, along with another 3,000 it flagged in January alone, according to Blockchain CEO and co-founder Peter Smith.

The solution to this is not using Google to navigate. If you already have an account at blockchain.info or an exchange, BOOKMARK the url and go straight to that instead of googling the exchange name.

[1714186948]

1714186948

[1714186948]

1714186948

[First77]

Google made profits from those "poison ads" ??

[bit-freedom]

Thank you for sharing. Such phishing websites affect not only Blockchain.info but also the other popular exchanges and ICO project websites. We have to be careful about the websites accessed and use bookmarks.

[kaizerblitz]

That"s nasty hackers stole $50 million of cryptocurrency i was feel so sad for those victim i hope they think before click because internet is dangerous.

[@bi5ML]

Phishing attack to Blockchain, does it not enable Google Authentication? Blockchain wallet is very safe, the risk of hackers is very small. In this case the user must recognize where the attack started, whether from phishing email or anything else.

[alyssa85]

Google made profits from those "poison ads" ??

Yes. Google makes a small profit every time someone clicks an ad.

The hackers paid google by the click, and they probably thought it was very cheap for the gains they were making through hijacking people's wallets.

Like I said: bookmark the urls of the exchanges you use. Don't google them.

[Lucius]

This is very popular way to deceive users and steal their user names&paswords,and it turned out to be a very inexpensive and effective way.In last months many people reported here on forum and on Reddit that after they download Electrum wallet( as upgrade ), or as a first time wallet - that their BTC is send in transaction in a matter of a few minutes.So many check what is going on,and we see that if you search for "Electrum" in google search, first results is paying add from Google which is always phising site with fake wallet.

I report more then 15 such sites related to Electrum,but new one pops every day - and newbies are perfect targets for such trap.

If you see something like that report here : Report Phishing Page

[hatshepsut93]

The solution to this is not using Google to navigate. If you already have an account at blockchain.info or an exchange, BOOKMARK the url and go straight to that instead of googling the exchange name.

Google has a lot of flaws, but all other search engines are much worse in quality, so abandoning Google is not an option for most people. You are right about bookmarking, but there's also additional practices like: using adblockers, ignoring ads manually (basically, just never clicking on them if they appear), verifying SSL. The biggest risk of getting scammed by malicious search results is when  you use a service for the first time, so before depositing your coins or installing some software, users should always verify that this is official sites by searching for mentions across the web and verifying signatures when possible.

[coinsocieties]

http://fortune.com/2018/02/14/bitcoin-cryptocurrency-blockchain-wallet-hack/

For years, hackers have robbed Bitcoin investors, emptying their cryptocurrency wallets without fear of being caught thanks to the relative anonymity of the blockchain. Now, Cisco (csco, +5.04%) has exposed the thieves behind a string of particularly flagrant attacks.

A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of Blockchain.info, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco’s Talos cybersecurity team.

The report explains how thieves preyed upon their victims using a “very simple” yet treacherous technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets.

For example, the poison ads included “spoofed” links with small types like “blokchien.info/wallet” and “block-clain.info,” which sent visitors to a landing page that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and blockchain.com. (The legitimate sites appeared lower in results than the “poisoned” links, according to Cisco’s report.)

Fooled into believing they had come to the right place, victims then entered private information that allowed the hackers to gain access to their actual wallets and take their digital money. “The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” the Talos team led by Jeremiah O’Connor and Dave Maynor said in their report.

Blockchain, for its part, is working with Google “on a daily basis” to take down phishing ads, and secured the removal of almost 10,000 such malicious websites last year, along with another 3,000 it flagged in January alone, according to Blockchain CEO and co-founder Peter Smith.

The solution to this is not using Google to navigate. If you already have an account at blockchain.info or an exchange, BOOKMARK the url and go straight to that instead of googling the exchange name.

this is the good reason why we need to be carefull everytime we are opening our wallet in website for me as i always use myetherwallet as a wallet in some ERC20 tokens i bookmark the url and double check the main url if it is correct before i input my private key so that i can sure that this is not a fcking phishing sites. the same thing as i use in blockchain.info and my other wallets. what a sad for a people who lost there money for just a second while you are taking years to banking it.

[Payapa]

We see ads everywhere in the net nowadays. It's not surprising that hackers could utilize it since it's like a thing we see every time, yet not being vigilant enough to notice them, and their actions. I guess the lesson here is to double-check the domains of where you're going in the net, especially if it's anything that's in connection to crypto. Hardware/ paper wallets are recommended since there's no way for hackers to get into it other than getting their hands on the actual wallet in person. Bookmarking is one good way too to prevent from  searching, and storing your private key someone that's not the machine you're using for browsing.

[LoyceV]

Google made profits from those "poison ads" ??

Yes. Google makes a small profit every time someone clicks an ad.

It would be interesting to see what happens if someone sues Google over this. For example, if you search for "ChipMixer" (the one in my signature is the real one), Google advertises a phishing website. I have reported the phishing site to Google on December 15, 2017, and I know other people have reported it too. Google simply ignores it, allows scammers to advertise, and earns from this. Doesn't that make Google responsible for all people who get scammed since the fake site was first reported?

If you see something like that report here : Report Phishing Page

They don't seem to care about people getting scammed, as long as they earn from it.

[ostrovagaly]

Ddos attack, phishing attacks inflict damage on the not quite securely protected system, in such cases, if a large account is in the purse, you should check it every half day, so that it's not scary for your income

[Kprawn]

http://fortune.com/2018/02/14/bitcoin-cryptocurrency-blockchain-wallet-hack/

For years, hackers have robbed Bitcoin investors, emptying their cryptocurrency wallets without fear of being caught thanks to the relative anonymity of the blockchain. Now, Cisco (csco, +5.04%) has exposed the thieves behind a string of particularly flagrant attacks.

A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of Blockchain.info, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco’s Talos cybersecurity team.

The report explains how thieves preyed upon their victims using a “very simple” yet treacherous technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets.

For example, the poison ads included “spoofed” links with small types like “blokchien.info/wallet” and “block-clain.info,” which sent visitors to a landing page that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and blockchain.com. (The legitimate sites appeared lower in results than the “poisoned” links, according to Cisco’s report.)

Fooled into believing they had come to the right place, victims then entered private information that allowed the hackers to gain access to their actual wallets and take their digital money. “The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” the Talos team led by Jeremiah O’Connor and Dave Maynor said in their report.

Blockchain, for its part, is working with Google “on a daily basis” to take down phishing ads, and secured the removal of almost 10,000 such malicious websites last year, along with another 3,000 it flagged in January alone, according to Blockchain CEO and co-founder Peter Smith.

The solution to this is not using Google to navigate. If you already have an account at blockchain.info or an exchange, BOOKMARK the url and go straight to that instead of googling the exchange name.

NOPE!!!! Do not Bookmark these sites, because even Bookmarks can be changed. This will only create a false sense of security,

if people trust their own Bookmarks. Just type the damn URL and stop being lazy, because it is going to cost you money. Also,

DO NOT trust auto complete. These viruses or Malware can change the auto complete data too and then re-direct you to the

Phishing site. Use your eyes and double check the URL you typed. Blockchain.info takes 3 to 4 seconds to type for average

users... that is definitely not that much trouble. 

[First77]

Google should really have a manual verification process for untrusted ad partners, ensuring that they are not mimicking similar services, or sites that cater for sensitive information. To some degree, I think Google is responsible for the losses incurred by these users. To be honest though, you need to be pretty stupid to be fooled by the old domain switcheroo attack. e.g. www.blockchain.info.xyz could be used instead of the actual domain. Most browsers even highly the domain extension and flag up potentially malicious sites. So these people must be either 1. Woefully ignorant, 2. Not adequately secured, or 3. Both.

Google has multi-billion dollars software which shows "google ads" all over the internet. They track users activities on the internet and "google ads" become headaches. Google has been responsible for killing "internet marketing".

Why click/see google ads ?

[First77]

Yes. Google makes a small profit every time someone clicks an ad.The hackers paid google by the click, and they probably thought it was very cheap for the gains they were making through hijacking people's wallets.

Why do people click/see google ads.

Other ways such as "forum signatures" are safer than google ads.

Like I said: bookmark the urls of the exchanges you use. Don't google them.

Use and throw google.com  

[First77]

It would be interesting to see what happens if someone sues Google over this. For example, if you search for "ChipMixer" (the one in my signature is the real one), Google advertises a phishing website. I have reported the phishing site to Google on December 15, 2017, and I know other people have reported it too. Google simply ignores it, allows scammers to advertise, and earns from this. Doesn't that make Google responsible for all people who get scammed since the fake site was first reported? They don't seem to care about people getting scammed, as long as they earn from it.

the main problem is Google's multi-billion dollar software which rules the internet keeps showing/bombards "google ads" all over the internet.

[brengoskandel]

one thing I hate most in the internet world is hackers, they abuse their intelligence to harm many parties
they hack the system, steal valuable assets, as well as valuable information that is neatly stored with the intention of pleasure or to gain profit for themselves, and now I feel very anxious when doing transactions, they can come anytime
pick up and leave without leaving a trail and without feeling guilty

[DdmrDdmr]

Google Adds should include a reputation score of some sort. This way the well known companies with legit adds could be identified by us users easily, while scrutinizing the rest.
Also Google should work on shutting down adds that link to scams (i.e. no reputation + x amount of negatives -> shutdown), similarly to how antiviruses do.

[newinbtc]

how google improve the website without any verification , IF we place an ad with same keyword with high bid that person always win. In this google made money But at least we people must watch the address we are opening that is right or wrong. Most of cases i seen that people search a word and they open first website which google shows and it was an add. Google get paid and That website tell all traffic.

always bookmark the urls u often visit otherwise we will lose our secure funds and always install proper internet security antivirus

[Daveeoff]

Google need to tighten their security regarding advertising. They cannot let websites like this use Google Adsense...