Cryptocurrency Phishing/Scams

    Tuesday, August 6, 2024 In: Threat Research Print

    Date: 08/05/2024

    Severity: Critical

    Summary

    "Cryptocurrency phishing/scams" involve deceptive tactics aimed at stealing funds or personal information from cryptocurrency users. Common scams include phishing emails or messages that impersonate legitimate services, fake websites that capture login details, and fraudulent investment schemes promising high returns. These scams exploit the growing popularity of cryptocurrencies, highlighting the need for vigilance and careful verification to protect against financial loss and identity theft.

    Indicators of Compromise (IOC) List

    Domains

    dcsmlxyusdt.com

    tradecoin-vip.com

    test.super369.icu

    oke.dog

    btcbourse.world

    pisces-vips.com

    xexplm.com

    wsamll.net

    finance-dnxesomi.com

    cexbp.com

    paxc.cc

    crypto13036947.com

    zbz-nexx.top

    cuoixgem.com

    graeyal.cyou

    online-usdt.shop

    bloombergdown.com

    zbz-nex.com

    bitft6888.top

    leees-usdt.cyou

    mmm.1mhgbt.buzz

    bittradeint.com

    bmt-seo3.top

    grraysel.cyou

    tbwaba.com

    cexdr.com

    onbara.com

    strikeaa.live

    aaex773.xyz

    globalcurrency.top

    cbs-dexx.top

    bitflyioho.com

    getbit365.top

    qqd2ep76.com

    option-mexc.vip

    cexbh.com

    getbit.vip

    vapors.cloud

    ouyiusdtr.vip

    mbn-coin.com

    nexusx.cloud

    fzcm01.com

    bittrpro.xyz

    ledgerx-tys.xyz

    easymarket.cc

    cryptocloud.vip

    d16789.com

    cointr9.vip

    btcpros.vip

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "dcsmlxyusdt.com" or url like "dcsmlxyusdt.com" or userdomainname like "tradecoin-vip.com" or url like "tradecoin-vip.com" or userdomainname like "test.super369.icu" or url like "test.super369.icu" or userdomainname like "oke.dog" or url like "oke.dog" or userdomainname like "btcbourse.world" or url like "btcbourse.world" or userdomainname like "pisces-vips.com" or url like "pisces-vips.com" or userdomainname like "xexplm.com" or url like "xexplm.com" or userdomainname like "wsamll.net" or url like "wsamll.net" or userdomainname like "finance-dnxesomi.com" or url like "finance-dnxesomi.com" or userdomainname like "cexbp.com" or url like "cexbp.com" or userdomainname like "paxc.cc" or url like "paxc.cc" or userdomainname like "crypto13036947.com" or url like "crypto13036947.com" or userdomainname like "zbz-nexx.top" or url like "zbz-nexx.top" or userdomainname like "cuoixgem.com" or url like "cuoixgem.com" or userdomainname like "graeyal.cyou" or url like "graeyal.cyou" or userdomainname like "online-usdt.shop" or url like "online-usdt.shop" or userdomainname like "bloombergdown.com" or url like "bloombergdown.com" or userdomainname like "zbz-nex.com" or url like "zbz-nex.com" or userdomainname like "bitft6888.top" or url like "bitft6888.top" or userdomainname like "leees-usdt.cyou" or url like "leees-usdt.cyou" or userdomainname like "mmm.1mhgbt.buzz" or url like "mmm.1mhgbt.buzz" or userdomainname like "bittradeint.com" or url like "bittradeint.com" or userdomainname like "bmt-seo3.top" or url like "bmt-seo3.top" or userdomainname like "grraysel.cyou" or url like "grraysel.cyou" or userdomainname like "tbwaba.com" or url like "tbwaba.com"

    Detection Query 2

    userdomainname like "cexdr.com" or url like "cexdr.com" or userdomainname like "onbara.com" or url like "onbara.com" or userdomainname like "strikeaa.live" or url like "strikeaa.live" or userdomainname like "aaex773.xyz" or url like "aaex773.xyz" or userdomainname like "globalcurrency.top" or url like "globalcurrency.top" or userdomainname like "cbs-dexx.top" or url like "cbs-dexx.top" or userdomainname like "bitflyioho.com" or url like "bitflyioho.com" or userdomainname like "getbit365.top" or url like "getbit365.top" or userdomainname like "qqd2ep76.com" or url like "qqd2ep76.com" or userdomainname like "option-mexc.vip" or url like "option-mexc.vip" or userdomainname like "cexbh.com" or url like "cexbh.com" or userdomainname like "getbit.vip" or url like "getbit.vip" or userdomainname like "vapors.cloud" or url like "vapors.cloud" or userdomainname like "ouyiusdtr.vip" or url like "ouyiusdtr.vip" or userdomainname like "mbn-coin.com" or url like "mbn-coin.com" or userdomainname like "nexusx.cloud" or url like "nexusx.cloud" or userdomainname like "fzcm01.com" or url like "fzcm01.com" or userdomainname like "bittrpro.xyz" or url like "bittrpro.xyz" or userdomainname like "ledgerx-tys.xyz" or url like "ledgerx-tys.xyz" or userdomainname like "easymarket.cc" or url like "easymarket.cc" or userdomainname like "cryptocloud.vip" or url like "cryptocloud.vip" or userdomainname like "d16789.com" or url like "d16789.com" or userdomainname like "cointr9.vip" or url like "cointr9.vip" or userdomainname like "btcpros.vip" or url like "btcpros.vip"

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-01-Cryptocurrency-Phishing-Scams.txt

     

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.