Cisco’s OpenDNS security team have revealed a complex phishing scheme aimed at collecting user credentials from various Bitcoin-related services, which led back to a well-known bulletproof hosting company
The hackers behind the the campaign were relying on pixel-perfect cloned Web pages for various Bitcoin wallet services, with a special focus on Blockchain.info, one of the most important websites in the Bitcoin ecosystems.
The crooks were leveraging a Google AdWords campaign to lure victims into accessing their malicious websites, registered using typosquatting domains like bioklchain.info instead of blockhain.info, for instance. The OpenDNS security experts noticed that some of the aforementioned websites were hosted on IP addresses which had a history.
Leveraging OpenDNS’ huge Whois database, the experts discovered that the same IP had hosted a slew of malicious websites in the past, like pharma spam and other phishing domains, for services such as banking portals, iCloud accounts, etc. Also, most of these phishing domains were registered under only six email addresses. According to OpenDNS, the oldest domain of these domains was registered on May 26, this year.
The IP belonged to a company named Novogara registered in the Seychelles. It appeared that the previous name of this company was QUASINETWORKS. Prior to that, the firm was called Ecatel and initially it operated in the Netherlands until December 2015. Novogara is the so called a “bulletproof hosting provider,” referring to companies that go out of their way to protect their customers, even if they know their client is running illegal operations.
The above-mentioned types of companies use safe harbor provisions in laws around the world allowing them to defer legal responsibility to their customers. Besides, they charge more than regular hosting providers, mainly because they turn a blind eye to what the client’s doing.
Some time ago, Novogara was linked to some websites hosting child pornography, spam, or from where DDoS traffic originated. The toxic traffic of the company got so bad that in 2008, fellow companies stopped peering with Novogara (Ecatel back then).
In 2012, the Anonymous hacker collective executed multiple DDoS attacks against the network due to hosting child pornography.