Editorial note: Every week, we are going to examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.
In our last weekly update, we noted that five of the top 10 domains we blocked in Canada were related to attempts to distribute bitcoin mining malware. Specifically, items 6-10 on the list were bitcoin miners using .bid domains.
This week’s list flips that on its head where the top six blocked domains were bitcoin miners with five of the six being .bid sites and one being a .me site - but that isn’t even the interesting part. There was a 115x increase in attempted clicks (queries) out to Bitcoin miners. When something goes up to that quickly it warrants attention and awareness.
What constitutes a query? There are plenty of reasons for a user to attempt to access a site that distributes bitcoin miners (or any malware really). In this case, typical vectors could range from clickbait emails, ads that accompany a click on a torrent site or even sites that attempt to mine coins in the background, so-called “drive-by mining”. The latter reason represents a perhaps educated user who would ignore a pop-up, but at this scale IT departments in Canada need to be aware of the increased threat to their resources being used inadvertently by miners.