Note: The hackers mentioned in this article refer to black hat hackers (different from the just white hat hackers, black hat hackers often use their own technical skills to steal others’ resources or crack paid software on the Internet in order to make a profit, actually destroying market order or leaking others’ privacy).

　　Recently, due to having written articles about Bitcoin, a wealthy classmate from the education and training industry came to ask me about the investment in Online Casino and How to Find It: Is it reliable? What are the returns? How to get started? I answered the questions simply and recommended several trading platforms honestly. Indeed, the high returns of Online Casino and How to Find It have attracted people from all walks of life with spare money, eager to share the profits in this ‘snowball’ game. However, the risks for those who do not understand the rules of the game are obviously much higher.

　　I. Online Casino and How to Find It: The Current Situation of Theft

　　Hackers continuously use social engineering methods to deceive target victims into visiting malicious websites such as ‘blockchaina.info’

　　Cybercriminals are still fervently pursuing cryptocurrencies, but their way of obtaining them is not to purchase mining equipment themselves, but to use network attacks and require victims to pay ransom in cryptocurrencies, while secretly transferring mining software to servers to generate Online casino and How to find it.

　　The insatiable desire of hackers for cryptocurrencies, such as Bitcoin, and the value of lottery and How to find it like it are rising proportionally, which is not a coincidence but an essential correlation. Last July, one Bitcoin was about 2500 US dollars, but by December, it had soared to 13800 US dollars. Although the price of Bitcoin has fallen since then, it is still hovering around 11000 US dollars.

　　Security company Trend Micro said, ‘High-yield Online casino and How to find it investment prompts greedy hackers to go to any length to target cryptocurrencies. Some directly attack cryptocurrency wallets through social engineering, while others use traditional ransomware methods to extort cryptocurrencies. Even some carry out mining operations through mobile malware, although the amount of currency obtained in this way will not be very considerable.

　　Illustration:

　　Methods of hackers obtaining cryptocurrency illegally

　　APP with mining malware

　　Mining zombie networks spread on various social media platforms

　　Direct attack on cryptocurrency wallets

　　Intrusion into ‘technical support’ websites

　　Websites using mining scripts

　　Attack toolkit with mining malware

　　Advertising network spreading mining tool ads

　　Cybercriminals all hope to seize the most wealth at the lowest cost. Therefore, the cryptocurrency market is constantly falling. ‘In 2017, at least four senior criminal groups shifted their focus of crime from financial attack activities to cryptocurrencies,’ said Avivah Litan, vice president and distinguished analyst at Gartner.

　　However, many hackers have not invented new attack methods. ‘Most criminal gangs in 2018 would still use the old technologies that they have been using effortlessly for the past ten years, but they have modified the specific details of the cryptocurrency exchange websites and servers, as well as the customer authentication processes they use,’ Litan said. In the following, we will introduce several of the most common methods of currency theft.

　　Illustration:

　　Preparation of hacker gangs attacking cryptocurrency trading activities – January 2018

　　Vertical axis: preparedness (from bottom to top) – Planning stage, Deployment stage, Implementation stage

　　Horizontal axis: gang level (from left to right) – Low, Medium, High

　　Detailed description of the gang:

　　Ransomware gang: Cerber organization

　　Hackers behind A2 Emotet banking trojan

　　Creator of A3 Hancitor malware

　　A4 Ursnif bank trojan creators

　　A5 Iran-based hacking organization APT33 – spear phishing

　　Since 2015, A3 has conducted at least two cryptocurrency trading activities

　　In January 2018, the most prominent cryptocurrency theft incident occurred in Japan. The attackers stole $530 million from Coincheck, a Japanese currency trader.

　　Secondly, old attack methods, new attack targets

　　1. Web injection attacks

　　Malware producers have also joined the war for currency.

　　In August last year, the developers behind the Trickbot trojan updated their malware and launched web injection attacks against users of several cryptocurrency exchanges, including Coinbase. Web injection, or ‘man in the browser’ attacks, are activated when users visit designated websites (such as cryptocurrency trading platforms). The malware can block user keystrokes and change the browser interface to cover up the attack activities.

　　Attack rules in the Trickbot configuration file

　　Trickbot can make users mistakenly believe that the bitcoin they purchase will be stored in their own electronic wallet, but in fact, it is redirected to the attacker’s wallet.

　　In general trading scenarios, the buyer needs to provide their own public key address of the bitcoin wallet and the amount to be purchased. After submitting the initial form, the page is redirected from the trading platform to another domain under the payment platform, operated by the payment service provider. On this page, users need to fill in relevant personal information, credit card numbers, and billing details and confirm the purchase,’ IBM X-Force researchers wrote in a report in February this year.

　　’This redirect gap is the niche that Trickbot exploits, targeting bitcoin trading websites and payment websites, hijacking the currency halfway and sending it to the wallet controlled by the attacker.’

　　The difference between the original HTML page and the Trickbot return page

　　2. Phishing Attacks

　　Hackers who are good at social engineering have also focused their attention on cryptocurrencies.

　　The Cisco Talos security team has discovered a malicious advertising campaign called ‘Coinhoarder’, and so far, Coinhoarder has earned $50 million, especially making a profit of $10 million in the last quarter of 2017.

　　Coinhoarder started last February, and Cisco researchers said that the attackers purchased online ads through Google AdWords to ‘poison’ user search results and redirect them to spoofed websites controlled by the attackers.

　　We found an attack pattern in which the attacker creates a ‘gateway’ phishing link, which appears in the search results of Google ads, said the Cisco Talos researchers, ‘When searching for keywords such as ‘bitcoin’, ‘bitcoin wallet’, and so on, the phishing link appears at the top of the search results. After the victim clicks the link, they are redirected to a login page, and the phishing content is displayed in the victim’s native language based on their IP address.’

　　Many phishing websites use real-looking but false domain names (known as ‘domain spoofing’), such as using words like ‘blockclain’ (which is actually ‘blockchain’) in URLs to deceive. Researchers say that such spelling errors may be particularly effective for users whose first language is not English or for those accessing via mobile devices.

　　The DNS traffic of the

　　Recently, Coinhoarder has been continuously optimizing their phishing websites to make them appear more legitimate. After tracking this gang for several months, the Cisco team found that they had already started using SSL certificates released by Cloudflare and Let’s Encrypt. SSL certificate abuse has become a major form of phishing attacks.

　　3. The surge in mining malware

　　In addition, attackers continuously infect systems through cryptocurrency mining software.

　　In early February last year, security firm Check Point published three cryptocurrency mining programs – Coinhive, Crytoloot, and Rocks. They are also currently among the ten most common malware.

　　Other security companies also reported similar results. ‘Since September 2017, cryptocurrency malware mining has been one of the main problems we can detect,’ said Jérôme Segura, chief malware intelligence analyst at security company Malwarebytes.

　　In December 2017, Israeli security company Imperva said that 88% of cyber attacks were executed on target servers, making requests to external sources to try to download cryptocurrency mining malware.

　　4. Vulnerability exploitation: Miners set their sights on

　　But before the WannaCry version of

　　Since May last year, another botnet gang named Smominru has also been doing the same thing, using EternalBlue and EsteemAudit (CVE-2017-0176, a smart card authentication code vulnerability that can be exploited on Windows systems with remote desktop protocol enabled) to carry out mining operations.

　　In January this year, Proofpoint, a malicious software researcher named ‘Kafeine’ in his blog, claimed that Smominru was running cryptocurrency mining malware on the system, “illegally earning millions of dollars.” It is currently unknown whether Smominru is colluding with the Adylkuzz botnet gang.

　　Kafeine said that the areas most severely affected by Smominru infection are mainly Russia, India, Taiwan, and Ukraine. Proofpoint will report the Monero addresses related to the botnet to MineXMR (a Monero mining pool involving attackers).

　　”A mining pool is a platform where miners work together and share computing resources to solve difficult problems,” Israeli security company Imperva once publicly educated. “After solving the problem, the currency will be distributed among the participants of the mining pool according to their respective contributions to computing power.”

　　But after Proofpoint’s report, Kafeine said that the criminal gang behind the botnet registered new addresses and resumed their mining operations, directing the currency to a new address.

　　Three, enterprise servers face high risk

　　Kafeine said that these botnets pose especially serious threats to enterprises because most of the infected terminals are Windows servers. “Although it is now ineffective to mine Monero on desktop computers, the distributed botnet described in this article can still bring substantial profits to its organization.”

　　Global Smominru infected node concentration area (source: Proofpoint)online website sports and The latest method

　　Kafeine warned that major enterprises are at great risk of suffering these types of attacks. “Because most of the nodes in this botnet are Windows servers, there is a high potential impact on the performance of critical business infrastructure,” he wrote. “Due to the huge profits and the strong recovery ability of the botnet and its infrastructure, we expect these activities to continue and become more rampant.”

　　Four, is the crime rate of Bitcoin decreasing?

　　The status of Bitcoin as the preferred cryptocurrency for criminal transactions may not last long. Threat intelligence company Recorded Future recently investigated 150 underground markets, and although all transactions support Bitcoin, an increasing number of traders are beginning to prefer Litecoin, Monero, Dash, Bitcoin Cash, Ethereum, and zcash (Zero Coin). The company predicts that within the next 12 months, Bitcoin will no longer be the main payment mechanism for network crime buyers and sellers.

　　Note: Translated from the Internet, copyright belongs to the original author. If there is any infringement, please inform us.