In studying the dynamics of e-fraud in relation to commercial holidays, Heimdal™ Security has discovered that e-fraud activity shows a steady increase, especially in the cryptomining area. Per the study, more than 30% of malicious domains identified during the crawled Black Friday period (i.e. in or around November the 13th 2020) either are tied to illicit cryptomining activity or contain cryptomining software with auto-download and execution features. All of the domains mentioned in this article have been inspected and blocked by Heimdal™ Security.
Black Friday and the Cryptomining Surge
Causal vs. conjectural analysis has underlined that the data retrieved by Heimdal™ throughout the aforementioned timeframe supports the statement that illicit cryptomining activity has intensified compared to non-commercial-holidays-related timespans.
Experience dictates that consumer behavior should be adapted to counter these types of incidents (e.g. Black Friday and similar events are notoriously known to encourage borderline legal business practices such as fake discounts, aggressive marketing campaigns for misrepresented products, etc.). The online world is no stranger to this kind of ‘extralegal’ activity – from phishing campaigns to sophisticated cyberattacks, threat actors would do just about anything to spirit away financial credentials and line their pockets.
The data gathered by Heimdal™ proves that there is an increased ‘interest’ in the cryptomining area. Below, I have redacted the numbers associated with the Black Friday 2020 timeframe (November 13 ± 5 days).
| Detected domain(s) | No. of recorded hits |
| 142-19-42-23. unamed.ch | 13416 |
| esmc.sjmicros.co.uk | 9217 |
| exodus.desync.com | 8660 |
| shared.ydstatic.com | 7414 |
| dl-mail.ymail.com | 6554 |
| none-stops.net | 5874 |
| a.exosrv.com | 5824 |
| tracker.tfile.co | 5577 |
| setup.rbxcdn.com | 5557 |
| vihansoft.ir | 5448 |
| report.url.cn | 4991 |
| cdn.geni.us | 4712 |
| syndication.exosrv.com | 4535 |
| pool.supportxmr.com | 4497 |
| pool-sg.supportxmr.com | 4482 |
| pool-hk.supportxmr.com | 4481 |
| pool-nyc.supportxmr.com | 4480 |
| pool-phx.supportxmr.com | 4475 |
| pool-at.supportxmr.com | 4474 |
| pool-fr.supportxmr.com | 4474 |
| start.desktopcal.com | 4457 |
| ads.exosrv.com | 4306 |
| monerohash.com | 4144 |
| xmrpool.eu | 4047 |
| t1.daumcdn.net | 3892 |
| moevideo.biz | 3666 |
| st.wgplayer.com | 3034 |
| eu.1push.io | 3005 |
| img.turncdn.com | 2984 |
Telemetry was extracted by Heimdal™ Security SOC team for the Black Friday 2020 timeframe (November 13 ± 5 days). Our analysis performed on the tainted domains crawled during the above-mentioned timeframe revealed the following data:
- 9 out of 29 attack domains were crypto-related. 31.3% of detected aggressions, totalling 39,554 hits, were found to be malicious (and obfuscated) cryptomining domains. The domains are as follows: pool.supportxmr.com, pool-sg.supportxmr.com, pool-hk.supportxmr.com, pool-nyc.supportxmr.com, pool-phx.supportxmr.com, pool-at.supportxmr.com, pool-fr.supportxmr.com, monerohash.com, and xmrpool.eu.
- One domain (desync.com) points to a media-sharing website with malicious content.
- One domain (shared.ydstatic.com) points to a portal-like media-sharing website that can potentially be used to mass-distribute unwanted and/or malicious software.
- One domain (none-stops.net) pointed to a domain that dropped malicious executables on the victim’s machine.
- One domain (exosrv.com) points to a sexually-explicit media-sharing website with malicious content.
- One domain (tracker.tfile.co) points to a P2P file-sharing website, deep-rooted in illegal media sharing and duplication (torrent).
- One domain (vihansoft.ir) points to a well-known, C2 (Command & Control) server.
- One domain (ads.exosrv.com) points to a website that hosts adware.
- One domain (t1.daumcdn.net) points to a content delivery, a blog-type website that can potentially be used to distribute malicious content.
A total number of 152,677 hits (i.e. malicious download, entry, probing attempts) were detected during the reference timeframe. The weight of the (detected) attacks originated from a .ch (Switzerland) TLD – 142-19-42-23. unamed.ch. Totaling 13,416 hits, this domain, which, at the moment, cannot be resolved is not related to any known criminal infrastructure nor was it claimed by a particular threat actor.
Who.IS interrogation returned insufficient results to make any assessments regarding its nature, attack vectors, attack surface, intent, targets, and methods. Querying the DNS records for the above-mentioned domains returns an SOA record with TTL 0, meaning that the domain must have had expired sometime after the attacks were carried out. As to other SOA tags (e.g. MNAM, RNAME, SERIAL, REFRESH, RETRY, or EXPIRE), Who.IS cannot return any results.
As to the purpose behind this cryptomining spike in or around Black Friday, it’s not a singular affair. Commercial holidays have always been ‘plagued’ by these types of illegal activities. A simple Google research for “Black Friday discounts” or, in our case, “Cryptocurrency Black Friday deals” reveals just how ‘bountiful’ these holidays can be in terms of e-fraud.
For instance, L.A. Times, a well-regarded US-based newspaper publication, has recently circulated a list of the best Black Friday cryptocurrency-related sales, discounts, and promo codes, with many platforms offering free credits and discounts up to 80% for various (first-time) financial operations. You can check the article here. With such a bounty of ‘potato hot discounts, there are bound to be cybercriminals who prey on the average user’s gullibility when seeing deals that cannot be refused.
How to Stay Protected Against Cryptomining Fraud
Be mindful of the fact that cryptomining fraud is not limited to Black Friday or any other commercial holiday for that matter. It’s a year-round event, if you will, one that comes with dire consequences. As always, I’ve rounded up some of my favorite (and least) cybersecurity tips, tricks, and advice that will help you protect those devices against cryptomining fraud.
- Legitimate vs. illegitimate websites. Be wary when creating a new wallet. Only use known and verified websites. Don’t try out a new crypto site just because it offers better fees, discounts, etc.
- Performance issues. Cryptojacking or what happens after you’ve visited the wrong website can be detected via performance dropouts. For instance, infected devices tend to overheat often and ramp out resources even when idle. Keep an eye on your Task Manager or use a dedicated tool such as Activity Monitor.
- Endpoint scanning. Since crypto-related infections rely on files for various (malicious) tasks, an antivirus would be your best bet at detecting and routing out the infection. Heimdal™ Security’s Next-Gen Antivirus & MDM can completely secure your endpoints against cryptojacking attempts and malicious data exfiltration. On top of that, ensure that auto-scanning is enabled.
- Searching for additional attack vectors. There are other ways to infect devices with cryptomining software. Forged Office documents with auto-enabled macros can also be ‘weaponized’. Ensure that macros are disabled. If you encounter Word or Excel documents that prompt you to active macro, it would be best to delete them or scan them with an antivirus or antimalware tool.
Wrap-up
This is just one of many examples of how threat actors leverage commercial and non-commercial holidays to trick users. With “vigilance” being the word du jour, I’ll take my leave now, but not before telling you to stay away from dubious websites. And, as always, for comments, rants, and generous beer donations, don’t hesitate to write…or send a carrier pigeon.
Did you enjoy this article? Follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!