Hackers targeting bitcoin wallet users are once again leveraging Google’s AdWords in their most recent campaigns. Phishlabs has previously seen similar attacks against banks and online gambling sites over the past year. Some of the most recent attacks have targeted Blockchain and Kraken and have been widely blogged and tweeted about over the past week. As seen in the screenshot below, a Google search for “blockchain.info” returns a Google ad for a look alike domain “blockchian.info” (figure 1). Kraken has released a statement via their blog acknowledging the ongoing campaigns and its attempt to mitigate the threat which can be read here. 
Figure 1 Sourced https://twitter.com/myetherwallet/status/766360476246618113
These campaigns lure their victims by advertising malicious lookalike domains via Google AdWords. When a victim searches for their respective bitcoin wallet service or bank via their internet browser, these malicious domains appear in the Google Ads at the top and sides of their screen. Once clicked, the victim is taken to a phishing page where they can enter in login and account information which the hacker can then use to access the victims’ accounts and personal information. 
While AdWords phishing is not a new threat, it is one that has been repeatedly leveraged against Bitcoin as well as other financial institutions and sectors that dabble in financial transactions. Google states that it is aware of the malicious use of its AdWords service and regularly blocks these malicious ads. Despite this, recent campaigns prove that these particular types of attacks are not only successful, but are frequently surpassing Google’s ability to detect and remove them before users fall prey.
Exploiting the human vulnerability continues to be the most attractive and successful path for threat actors targeting the assets of organizations and individuals. Download the 2016 Phishing Trends & Intelligence Report for trend analysis and insight into techniques used in attacks.
Because Google AdWords is a cost-per-click service (CPC), the hackers behind these campaigns are believed to have significant financing. The average CPC for a startup or new business is between two to five dollars but can dramatically increase to over ten times that. For each click, the hacker has to pay Google. So, if the victim clicked on the ad but did not fill out the phishing forms, the hacker did not receive any of the victim’s information to later misuse, but still has to pay Google their fee. As such, the hacker would likely need to have significant upfront financing to run these types of scams. Ways to avoid becoming victims of these types of scams include:
- Not clicking on the ads themselves but use the links in the actual search results provided by your browser.
- Always double check the grammatical accuracy of the advertisement
- Hover over the link with your mouse to ensure the domains match before clicking.
More Resources: On-Demand Webinar: Turn Your Employees Into Security MVPs Download: The CISO's Guide to Spear Phishing Defense