Editorial note: Every week, we are going to examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.
Every day we add about 100,000 new domains to the block list for users of the D-Zone DNS Firewall. We thought it would be interesting to look at the top 10 sites blocked. In otherwords, what malware end users are actually attempting to click on (hopefully by mistake).
Five of the top 10 blocked domains were for Bitcoin miners, and notably, they all appear to be random strings using the gTLD .bid. The other top blocks included the Marai botnet, Bifrose, and Palevo.
Last week a number of high profile security alerts came out for bitcoin miner software that was being distributed. The main mechanism being reported was clickbait via Facebook messenger. The bot not only hijacks systems but uses them to spread its code, like a virus. It uses good old-fashioned clickbait to get in.
It is part of a continuing trend towards hackers hitting non-traditional targets for the purposes of generating easy money. Unlike hacktivism, data thieves, or nuisance hackers that used to dominate the headlines today’s global network of techno-thieves don’t need to point their code at governments or big banks websites to earn a living. This is widely demonstrated with ransomware where the estimated average payout demand is only about $1,000. Point of fact, one of the bigger ransomware stories, NotPetya, requested only $300 to unlock files (which it didn't - but that is another story). And now it is further driven home by bitcoin malware.
Bitcoin mining malware is able to profit similarly by targeting small players who don’t (or can’t) spend the right resources to protect themselves. Although it may target end users, corporate IT departments certainly don’t want their resources to be mining bitcoins during business hours either.
First, a little lesson…
Almost since inception, the cost to mine bitcoins in terms of electricity and network access was higher than the value of the bitcoins mined at the time. It made sense for data centres running specialized hardware in low-cost electricity areas, but it was hard for an individual with an expensive graphics card to make a buck after all the costs were considered.
The massive growth in speculative bitcoin value over the last year proved some of this thinking was wrong (notably, your author regrets the decision he made about 6 or 7 years ago not to mine). That said, it is still considered true by many, that using your infrastructure to mine is closer to gambling than investing. However, for a hacker than can recruit a few thousand machines to quietly run calculations in the background, the world is a literal gold mine. Rather we should say, you are the slave working in the gold mine for them.
CIRA currently has about 500,000 Canadian users being protected by our D-Zone DNS Firewall and when we looked at the top 10 sites that we blocked in the last week we saw direct evidence of this attempted malware distribution. Notably, a “block” is registered when an end user attempts to click on a link to a threat OR an infected device attempts to call out to its command and control using the DNS.