Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
With cryptocurrency mania in full swing, investors must now navigate an entirely new, rapidly expanding threat landscape. Coins, alt-coins, tokens, exchanges, and other cryptocurrency apps—both legitimate and malicious—pop up in the marketplace every day, many of which leverage the massive popularity and ‘get-rich-quick’ promise of cryptocurrency to attract new users. Some of these apps are stood up to target users, while many become the target of hackers themselves.
RiskIQ observes cryptocurrency threat campaigns that show threat actors bank on the fact that, to many people, the concept of cryptocurrency is nebulous at best, but still seen as a viable way to make money. This widespread perception creates fertile ground for scammers, who take advantage by creating all manners of cryptocurrency fakery designed to fool people out of money. Already, RiskIQ has detected and blacklisted dozens of fake cryptocurrency apps in the mobile app ecosystem that exploit the names of well-known exchanges and mixers, as well as hundreds of sites that falsely promise to make users money in other ways.
The site cryptcoins.biz, for example, has a glossy crypto veneer but resembles a common advance fee scheme. Users can purchase phony “coins,” marketed as various “cryptocurrencies” with real money (rubles) via Payeer, with the goal of being able to exchange them for a return on investment later. They can also earn them through “bonuses” rewarded for taking actions such as clicking on ads, visiting web pages, and recruiting new users.
However, the exchange rates for these coins to rubles are intentionally confusing and absurdly steep. To receive a payout via Payeer, users must first exchange their coins for “silver,” which they then exchange for rubles at a rate of 100 “coins” to 1 “silver,” and 100 “silver” to 1 ruble. This rate makes for a fantastic deal for the people who run the site, but it’s a shakedown for customers.
Fig-1 Phony coins named after actual cryptocurrencies promising investors a profit
Cryptcoins[.]biz is only one of a network of sites operated by a single individual or group, all sharing the cryptocurrency theme. A single IP address, 126.96.36.199, hosts several domains using cryptocurrency themes and falsely promising their users profits. Pivoting in RiskIQ PassiveTotal, we see a handful of domains resolving to this address, ranging from sites masquerading as digital currency exchanges, sites offering ways of earning free cryptocurrency, and “economic simulators” that promise users to renew in-game profits for real-world money. One of these sites asks users to send .5 – 5 ETH (Ethereum) and promises a return of 5 – 50 ETH.
Fig-2 Site offering a huge ROI ion a .5 ETH investment (yeah right)
According to RiskIQ PassiveTotal’s PDNS data, this address was not routable before March 7th, with many of the domains currently routed to this IP were created soon after:
Fig-3 PDNS data inside RiskIQ PassiveTotal for the IP 188.8.131.52
Other notable domains in this network include:
The cryptocurrency threat landscape is dangerous for users, but brands are also at risk. Threat actors hack vulnerable sites or spin up fake, illegitimate websites to siphon money off of brands, often with typosquatting domains and fraudulent branding. By leveraging domains or subdomains that appear to belong to major brands, these actors trick people into visiting their sites, which attempt to scam them and/or run cryptocurrency mining scripts to siphon users’ CPUs.
Unfortunately, security teams lack visibility into all of the ways that they can be attacked externally, and struggle to understand what belongs to their organization, how it’s connected to the rest of their asset inventory, and what potential vulnerabilities are exposed to compromise. RiskIQ Digital Footprint has you covered by continuously discovering an inventory of your externally-facing digital assets and managing risks across your digital attack surface. If you would like more information about RiskIQ Digital Footprint Enterprise can help you with exposure to cryptominers, call us at 888-415-4447 or email us at email@example.com.
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK