Researchers form Cisco’s OpenDNS security team have uncovered a complex phishing scheme aimed at collecting user credentials from various Bitcoin-related services, which under a closer scrutiny led back to a known bulletproof hosting firm.
The first that stumbled over this campaign were the security researchers from, who spotted it in the first week of June.
The crooks behind the phishing campaign were relying on pixel-perfect cloned Web pages for various Bitcoin wallet services, with a special focus on Blockchain.info, one of the most important sites in the Bitcoin ecosystems.
AdWords campaigns drove traffic towards the phishing pages
Phishers were leveraging a Google AdWords campaign to lure victims into accessing their malicious sites, registered using typosquatting domains, such as bioklchain.info instead of blockhain.info.
What caught the eye of thewas that some of these websites were hosted on IP addresses that had a history.
Leveraging OpenDNS’ huge Whois database, the team discovered that the same IP had hosted a slew of malicious sites in the past, such as pharma spam and other phishing domains, for services such as banking portals, iCloud accounts, and more.
Furthermore, most of these phishing domains were registered under only six email addresses. OpenDNS says the oldest domain of these domains was registered on May 26, 2016.
Malicious phishing pages hosted on a bulletproof hosting provider
The IP belonged to a company called Novogara registered in the Seychelles. The company’s previous name was QUASINETWORKS. Prior to that, the company was named Ecatel and initially operated in the Netherlands until December 2015.
In the Web hosting biz, Novogara is what’s called a “bulletproof hosting provider,” referring to companies that go out of their way to protect their customers, even if they know their client is running illegal operations.
These types of companies use safe harbor provisions in laws across the world that allow them to defer legal responsibility to their clients. Also, they charge more than regular hosting providers, mainly because they turn a blind eye to what the customer’s doing.
In the past, Novogara was linked to sites hosting child pornography, spam, or from where DDoS traffic originated. The company’s toxic traffic got so bad that, fellow companies stopped peering with Novogara (Ecatel back then). , the Anonymous hacker collective executed multiple DDoS attacks against the network because it was hosting child pornography.
Nevertheless, if it’s not Novogara, then it’s somebody else. These types of companies exist everywhere, from the US to Romania, and from Russia to China.