Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
If you’re in security and haven’t delved much into threats related to cryptocurrency, you may want to reconsider your position. Regardless of how you feel about its practicality or potential bubble status, cryptocurrency is worth understanding because it’s not going away anytime soon. And, a lack of formal regulations or rules in the space has helped foster a ‘wild west’ sort of chaos—both for good and for bad.
In no particular order, here’s a brief set of topics for those looking to expand their cryptocurrency security knowledge.
Most people have heard of Bitcoin, Ethereum, Ripple, and Litecoin, but what about the lesser known altcoins such as ICON, Civic, and Verge? There are hundreds of coins/tokens in the market space right now—even Kodak is throwing its hat in the ring—and acquiring them is not always a straightforward process.
Figure-1 Binance, a popular exchange featuring hundreds of altcoins
To purchase these altcoins, you must first find an exchange that will convert your currency to Bitcoin or Ethereum. From there, you have two options, 1) using an exchange or 2) using a mixer. Depending on the coin you want to purchase, you may need to transfer your coins from one exchange to another using the wallet addresses at each exchange. Exchanging is a reasonably simple process, but what makes it difficult is finding exchanges that are reputable and then managing disparate accounts on each one.
Figure-2 Changelly.com, a popular mixer to change cryptocurrencies
Assuming you already have one coin type but want to exchange it for another, you could use something called a mixer. These websites will allow you to send currency of one kind and transfer it into another type. Similar to exchanges, mixers often require you to register an account, trust the provider with your money (briefly), and use a multitude of providers since no one provider has all the coins listed.
The process above involves a lot of moving parts, and even the most reputable of these exchanges and mixers have widely held concerns associated with their security, and rightly so—there have been several recent high-profile hacks resulting in a loss of millions of dollars worth of holdings.
The lesser-known mixers and exchanges are even riskier, and with new ones popping up every day, there’s an entirely new landscape of dangerous cryptocurrency apps, both legitimate and malicious, that investors must now navigate. Already, RiskIQ has detected and blacklisted dozens of fake cryptocurrency apps in the mobile app ecosystem, many of which are leveraging the name of well-known exchanges and mixers.
When a topic gains global attention, chances are high it will be used in phishing attacks.
What makes the cryptocurrency world a bit different is the lack of follow-up-actions that can take place in the event of a theft. This has resulted in a wide-range of phishing techniques including standard cold-emails, targeted messages to cryptocurrency holders, SMS hijacking to thwart two-factor authentication, typosquatting or brand infringing websites, fake exchanges, fake mixers, social media impersonation, and more. Unlike typical phishing where the user may lose their account, victims of these phishing attacks can lose their entire digital wallet, leaving them empty-handed and without recourse.
In early November, Proofpoint uncovered a sizeable active phishing campaign by the Lazarus Group that sent out messages about fake Bitcoin Gold (BTG) wallet software. The actors abused IDN registration attempting to impersonate the official bitcoingold.org website using sender IDN domains and the decoded notations.
Figure-3 Comparing the real Bitcoin Gold page with the malicious phishing page
Captured by virtual user technology–our web crawling infrastructure—RiskIQ had full copies of the fake webpages and the metadata present on them. RiskIQ stores host pairs for sites that point to each other in a parent or child relationship and called upon this data set for the official BTG website, which showed at least two fake websites in its parent Host Pair set. This information enabled investigators to detect the threat at the source and track how they ran their campaign.
RiskIQ virtual user technology can combat phishing schemes related to cryptocurrency in other ways, too. Whether they’re malicious or benign, fake or legitimate, cryptocurrencies, mixers, and exchanges also leverage well-known brands to boost their visibility—often financial institutions. In conjunction with industry-leading phishing blacklists, RiskIQ External Threats analyzes the internet looking for pages that are similar to their proprietary assets, or pages that collect information leveraging their logo. Leveraging direct integrations with Google Safe Browsing and Microsoft SmartScreen, RiskIQ External Threats can automatically detect and block phishing campaigns, stopping most browsers from accessing the page.
Where there are hundreds of coins also means hundreds of companies, many with technology-based solutions. Many of the altcoins provide their users with digital wallets in the form of mobile apps or native desktop apps. Like any other technology, this software may have vulnerabilities that could be exploited and result in the total loss of assets. And, unlike your traditional bank account, your cryptocurrency isn’t insured.
Figure-4 Security researcher seeing live scans against honeypots revealing a vulnerability
For example, security researchers recently uncovered a vulnerability being exploited in-the-wild by malicious actors. Ethereum users directly connected to the Internet were at risk of funds automatically being stolen from their digital wallets due to an unauthenticated JSON RPC endpoint present within the wallet.
Some holders of cryptocurrency have opted to use hardware solutions to secure their digital wallets. These devices often provide a degree of security, by offering encryption or some additional authentication mechanism that requires the user to interact with the device.
Unfortunately, bad actors have taken notice of these hardware devices and a market of uneducated purchases to sell second-hand devices. These second-hand devices could be implanted with a backdoor or seeded with information the attacker could use to access the contents of the device later.
With cryptocurrency valuation reaching new highs seemingly every week, everyone is trying to cash in. That’s why revenue-generating cryptocurrency miners are everywhere and anywhere. However, these miners require tons of computing power, often sourced from unwitting users.
Figure-5 Components shown for a web property in RiskIQ PassiveTotal detailing the use of Coinhive within the web page.
Some brands capitalize by running cryptocurrency mining scripts in the background of their sites to leverage the computers of their visitors legally. Meanwhile, threat actors hack vulnerable sites or spin up fake, illegitimate websites to siphon money off of major brands, often with typosquatting domains and fraudulent branding. By leveraging domains or subdomains that appear to belong to major brands, these actors trick people into visiting their sites running cryptocurrency mining scripts to monetize their content. When we looked at domains running the cryptocurrency mining script Coinhive, we found many examples of typosquatting and domain infringement.
Unfortunately, security teams lack visibility into all of the ways that they can be attacked externally, and struggle to understand what belongs to their organization, how it’s connected to the rest of their asset inventory, and what potential vulnerabilities are exposed to compromise. In the case of scripts like Coinhive, it means being able to inventory all the third party code running on your web assets, and being able to detect instances of threat actors leveraging your brand on their illegitimate sites around the internet. Fortunately, RiskIQ Digital Footprint has you covered by continuously discovering an inventory of your externally-facing digital assets and managing risks across your attack surface.
Another Magecart group has started to compromise misconfigured S3 buckets! Please secure your buckets.
We detailed how to secure your S3 Buckets in our original reporting: https://t.co/QKrZqWV506
The Columbus, OH #ThreatHunting community is out in full force for today's workshop! Together, we're powering better investigations through data.
Some insights based on reporting by @RiskIQ: Beyond Wipro: Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools https://t.co/6Vxsnygp1z via @ooda
For today's executives, protecting your organization means protecting yourself—and knowing that personal security sits at the confluence of the physical and digital worlds. https://t.co/HShORi3X6j #ExecutiveProtection #ExecutiveSecurity
Overlap in RiskIQ's unique data sets uncovered a massive threat campaign using popular marketing and analytics tools to target gift card retailers, distributors, and processors. Here's what you need to know https://t.co/GkHsPFwkkd #ThreatIntelligence