Cryptocurrencies are increasingly being used for mainstream applications, outside of the dark web markets where they still dominate for anonymous payments. As a result, we are observing phishing attacks and various schemes targeting cryptocurrency wallets and credentials for online exchanges more frequently, with cybercriminals hoping to steal significant sums of largely untraceable currency. The most recent of these targets the Litecoin platform, the popularity of which is increasing globally.
Proofpoint researchers regularly monitor newly registered domains with particular attention to typosquatting and areas of emerging interest (like cryptocurrencies) for attackers. In this case, we noticed two interesting domains itecoin[.]org and ltecoin[.]org that were created and which appeared to be clones of the legitimate site litecoin.org.
Figure 1: Legitimate Litecoin.org
Figure 2: Imposter website ltecoin[.]org with stolen branding and creative
The websites do not share the same hosting. DNS information is shown below for both domains:$ host litecoin.org litecoin.org has address 188.8.131.52 litecoin.org has address 184.108.40.206 litecoin.org is an alias for litecoin.org. litecoin.org has address 220.127.116.11 litecoin.org mail is handled by 50 aspmx3.googlemail.com. litecoin.org mail is handled by 10 aspmx.l.google.com. litecoin.org mail is handled by 20 alt1.aspmx.l.google.com. litecoin.org mail is handled by 40 aspmx2.googlemail.com. litecoin.org mail is handled by 30 alt2.aspmx.l.google.com. $ host ltecoin.org ltecoin.org has address 18.104.22.168 ltecoin.org is an alias for ltecoin.org. ltecoin.org has address 22.214.171.124 ltecoin.org mail is handled by 10 smx1.web-hosting.com. ltecoin.org mail is handled by 30 smx3.web-hosting.com. ltecoin.org mail is handled by 20 smx2.web-hosting.com.
Whois information for the typosquatted ltecoin[.]org appears very suspicious:Re...