Group used Google ads to drive traffic to phishing sites
The group —which Cisco tracked internally under the codename of Coinhoarder— has been operating for years, but appears to have used the same scheme since February 2017, possibly earlier.
Crooks purchase so-called typosquatted domains that imitate the real Blockchain.info Bitcoin wallet management service. Coinhoarder operators then set up phishing pages on these domains that log users credentials, which they later use to steal funds from users' accounts.
Nothing new here, as this is how most phishing operations work. The novelty comes from how crooks drive traffic to these sites. According to Cisco, instead of using malvertising or spam campaigns, crooks buy legitimate ads via the Google AdWords platform and place links to their phishing sites at the top of Bitcoin-related Google search results.
Sample paid ads by the Coinhoarder group
This trick is not only simple to execute but very effective. Cisco reported that based on DNS query data, ads for one domain roped in over 200,000 users. It is believed the group lured tens of millions of users to its phishing sites.
It is unclear how many users tried to log in on the fake sites, but after tracking down various thefts reported on social media and involving some of the Coinhoarder groups typosquatted domains, Cisco says the group made around $50 million worth of Bitcoin in the past three years.
For example, in one campaign that took place from September 2017 to December 2017, the group made around $10 million, while in another campaign that lasted 3.5 weeks, the group made another $2 million.
