More than $50m in crypto stolen by Ukranian Group CoinHoarders via Google AdWords

[Energycore]

https://www.newsbtc.com/2018/02/15/hackers-coinhoarder-steal-more-than-50-million-in-cryptocurrencies-using-google-ads/

 

Cisco's Talos Intelligence Group uncovered a team of hackers based out of Ukraine, who dubbed themselves CoinHoarder, using Google AdWords to lure people into malicious mirrors of popular wallet holder sites like blockchain.info.

 

Quote

 

The report details how thieves preyed on their victims using a simple technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “Bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets. Fooled into believing they had come to the right place, victims then entered private information that allowed the hackers to gain access to their actual wallets and take their virtual currency.

The poison ads included “spoofed” links with small mistypes like “blokchien.info/wallet” and “block-clain.info,” which sent visitors to pages that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and Blockchain.com. According to Cisco’s report, the legitimate sites appeared lower in the results than the “poisoned” links.

 

This highlights an important weakness of the Google AdWords service, that can be abused for other things in the future like sending people to fake bank or government sites.

 

Quote

 

The Coinhoarder thefts occurred over the course of three years but surged at the end of 2017 as Bitcoin prices soared close to $20,000, with $10 million stolen between September and December. In one run, the hackers made off with $2 million in the span of fewer than four weeks, the Talos researchers said. Further, it’s very likely the value of the steals total much more than $50 million now, as Talos based its calculations on cryptocurrency prices at the time of the theft.

Cisco found that the Coinhoarder scam disproportionately ensnared those from underbanked regions where cryptocurrency has caught on as an alternative means of storing wealth: Residents of African countries such as Nigeria and Ghana made up the majority of those who landed on the malignant websites.

 

More than $50m (accounting for the appreciation of these cryptos since they were stolen) was taken from legitimate users, especially from countries that are not up to date in cybersecurity, they smartly targeted people who are less likely to know a scam site from a legit site.

 

There is no mention of whether the members of this hacker group have been aprehended, or whether Google is going to change its AdWords service in any way.

 

I'll update this if I find any more info.

[SansVarnic]

wow...

[Okjoek]

Not been a fan of Ukraine lately.

[Starelementpoke]

That's quite a bit of cash.

[Guest]

3 hours ago, Energycore said:

or whether Google is going to change its AdWords service in any way.

Unless this noticeably affects their reputation, or people try to hold them accountable, I doubt the effect would be in changing the priority ads have over legit results. Though they might be more strict with what is advertised, but that's another can of worms.

[Bcat00]

oh well, not that it matters to the average person. 

Don't plan to use cryptocoins nor will i accept payment in that form so no harm done. Take it all they like.

[Mooshi]

So...how are fake coins with no real value a good thing for society again?

[Energycore]

1 hour ago, Mooshi said:

So...how are fake coins with no real value a good thing for society again?

I dunno, how are pieces of paper with no real value and a number written on them a good thing for society?

[mr moose]

3 hours ago, Energycore said:

This highlights an important weakness of the Google AdWords service, that can be abused for other things in the future like sending people to fake bank or government sites.

 

Is it a weakness in adwords or a general weakness in people?  It seems to me it is people who are easily fooled by phishing scams and any ad service would suffice.

[Energycore]

Just now, mr moose said:

Is it a weakness in adwords or a general weakness in people?  It seems to me it is people who are easily fooled by phishing scams and any ad service would suffice.

Weakness in people is a problem that cannot (easily) be overcome. The cost of implementing a course in cybersecurity for all the people in Africa who need crypto because their country doesn't actually have a service with which to store their money in a non-physical manner, I surmise, is way lower than the cost of implementing an algorithm that weeds out malicious users of the AdWords service.

 

Of course criminals will find other ways, so we should do both. But it's not enough to say "X is a more important problem" to take away from the importance of the apparently smaller problem. I'll concede that it's a bigger problem that people aren't educated in cybersecurity. But that's not reason enough for us to stop pointing out other weaknesses in the system.

[mr moose]

1 minute ago, Energycore said:

Weakness in people is a problem that cannot (easily) be overcome. The cost of implementing a course in cybersecurity for all the people in Africa who need crypto because their country doesn't actually have a service with which to store their money in a non-physical manner, I surmise, is way lower than the cost of implementing an algorithm that weeds out malicious users of the AdWords service.

 

Of course criminals will find other ways, so we should do both. But it's not enough to say "X is a more important problem" to take away from the importance of the apparently smaller problem. I'll concede that it's a bigger problem that people aren't educated in cybersecurity. But that's not reason enough for us to stop pointing out other weaknesses in the system.

I find it concerning that people are willing/able to educate themselves to the point of being able to trade and store crypto but haven't quite worked out basic internet security.

[Energycore]

Just now, mr moose said:

I find it concerning that people are willing/able to educate themselves to the point of being able to trade and store crypto but haven't quite worked out basic internet security.

The archetypical victim of this particular attack did so out of necessity, so I don't think it's fair to assume that they were educated. The extent of their knowledge is probably "look, make an account on this website and you get to store your money on the internet, isn't it great?", and not much else. It is my opinion that we should protect and educate these kind of people. Making Google implement an algorithm that sweep malicious users from AdWords is protecting them, going there and teaching them about cybersecurity is educating them.

[mr moose]

2 minutes ago, Energycore said:

The archetypical victim of this particular attack did so out of necessity, so I don't think it's fair to assume that they were educated. The extent of their knowledge is probably "look, make an account on this website and you get to store your money on the internet, isn't it great?", and not much else. It is my opinion that we should protect and educate these kind of people. Making Google implement an algorithm that sweep malicious users from AdWords is protecting them, going there and teaching them about cybersecurity is educating them.

I disagree, Learning how crypto works is not easier than learning how to be safe online. If you can do one you can do the other.  And I dare say if you are in Nigeria and looking for a way to store money then you already have good reason to be cautious.  If these people were duped by adwords then it is just as likely they would have been duped by any other URL phishing scam. 

[Guest]

1 minute ago, mr moose said:

I disagree, Learning how crypto works is not easier than learning how to be safe online.

But do they really need to learn how crypto works to buy/exchange some? Exchanges have been getting increasingly simple (Besides the requirement for identification.) to use these days.

[mr moose]

1 minute ago, tjcater said:

But do they really need to learn how crypto works to buy/exchange some? Exchanges have been getting increasingly simple (Besides the requirement for identification.) to use these days.

If you were broke arse poor in a country with a banking system so bad crypto is a valid storage solution, would you risk what you have to an unknown? 

[Guest]

Just now, mr moose said:

If you were broke arse poor in a country with a banking system so bad crypto is a valid storage solution, would you risk what you have to an unknown? 

I personally wouldn't, but then again some people do very stupid things online such as trusting random information they found in a post or from a friend. (Disclaimer: I have met people who purchase from random sites/ads and/or fell victim to obvious scams)

[Energycore]

12 minutes ago, mr moose said:

I disagree, Learning how crypto works is not easier than learning how to be safe online. If you can do one you can do the other.  And I dare say if you are in Nigeria and looking for a way to store money then you already have good reason to be cautious.  If these people were duped by adwords then it is just as likely they would have been duped by any other URL phishing scam. 

I'm not disputing this, blockchain technology is so complex that the Science, Space and Technology Committee had to get experts to explain it to them in a hearing. However you don't have to understand the underlying concepts to use it. You can tell someone that it's really just a phone app that does your banking, but with no fees and no bureaucracy. I think you're overestimating how reasonable people are in times of dire need.

 

6 minutes ago, mr moose said:

If you were broke arse poor in a country with a banking system so bad crypto is a valid storage solution, would you risk what you have to an unknown? 

My gut says yes, of course you'd take an unknown over a system that you know to be terrible, in the shoes of these people.

[mr moose]

1 minute ago, tjcater said:

I personally wouldn't, but then again some people do very stupid things online such as trusting random information they found in a post or from a friend. (Disclaimer: I have met people who purchase from random sites/ads and/or fell victim to obvious scams)

Which is why I say it is a problem of the people and not of the ad service.  There are always going to be ads that lead to malicious websites.   I note Nigeria has had 1500% increase in bitcoin trading as people are looking for a way to bypass local exchanges in international payments and to make money from the next "big thing", not that I can blame them on that one, If I was watching the world ride one big thing after another and was constantly missing out because of my country I would want to find away to get on board next as well.  The sadder part is Zimbabwe where financial instability is the main reason for bitcoin being taken up. 

[Guest]

1 minute ago, mr moose said:

Which is why I say it is a problem of the people and not of the ad service.  There are always going to be ads that lead to malicious websites.   I note Nigeria has had 1500% increase in bitcoin trading as people are looking for a way to bypass local exchanges in international payments and to make money from the next "big thing", not that I can blame them on that one, If I was watching the world ride one big thing after another and was constantly missing out because of my country I would want to find away to get on board next as well.  The sadder part is Zimbabwe where financial instability is the main reason for bitcoin being taken up. 

And I agree with that (I did earlier too ), I just wanted to point out that you don't need to understand how it works, just that it exists (And by extension, its likely easier to use a crypto than to have good online common sense.)

[Guest]

53 minutes ago, Energycore said:

I dunno, how are pieces of paper with no real value and a number written on them a good thing for society?

we must go back to the gold standard!

[mr moose]

2 minutes ago, Energycore said:

I'm not disputing this, blockchain technology is so complex that the Science, Space and Technology Committee had to get experts to explain it to them in a hearing. However you don't have to understand the underlying concepts to use it. You can tell someone that it's really just a phone app that does your banking, but with no fees and no bureaucracy. I think you're overestimating how reasonable people are in times of dire need.

 

My gut says yes, of course you'd take an unknown over a system that you know to be terrible, in the shoes of these people.

I didn't mean learn how blockchain works, I meant learn how basic mining and exchanges work. They have to be able to buy in the first place (or mine it), which means they are linking their already destabilized bank accounts to an exchange they don't fully understand.  I think if they can do all this online they can also talk on forums and learn a little bit about security first.

[mr moose]

11 minutes ago, RorzNZ said:

we must go back to the gold standard!

but there isn't enough gold!

 

It always amazes me that people argue there isn't enough gold in the bank to underpin our economy like that somehow justifies fiat being inferior or a rort of some description. 

 

EDIT: I say our economy, but I really mean any economy as the arguments I hear are usually directed at the US, Aussie or English economies.

[Guest]

6 minutes ago, mr moose said:

but there isn't enough gold!

 

It always amazes me that people argue there isn't enough gold in the bank to underpin our economy like that somehow justifies fiat being inferior or a rort of some description. 

I'm joking. I don't actually know what holds our currencies in value apart from demand to buy and sell. I have a friend who studies this so that will be my next question to him!

[Energycore]

1 minute ago, RorzNZ said:

I'm joking. I don't actually know what holds our currencies in value apart from demand to buy and sell. I have a friend who studies this so that will be my next question to him!

To be entirely fair, bitcoin and other cryptos aren't actually currencies, in the opinion of this dude: https://blog.chain.com/a-letter-to-jamie-dimon-de89d417cb80

 

In fact, the IRS does not consider them currency. http://time.com/money/5007068/theres-a-huge-hidden-bitcoin-tax-that-you-need-to-know-about/

[mr moose]

2 minutes ago, RorzNZ said:

I'm joking. I don't actually know what holds our currencies in value apart from demand to buy and sell. I have a friend who studies this so that will be my next question to him!

Management holds it's value.  There is no commodity great enough to underpin the US economy (or most others for that matter) so it simply has to be managed (hence fiat).  Without regulation the economy will simply snowball in one direction or the other,  stupid high inflation or depression.