Everyone is trying to get their hands on the latest Antminer S9 ASIC from Bitmain. This is something that has also not escaped the attention of various online scammers.
One that is making the rounds on Facebook appears to offer the AntminerS9 with a limited batch release later in the afternoon. This was a sponsored Facebook ad from a page that on the face of it, seemed “legit”.
To the untrained eye, the domain of the site itself also appeared legitimate (shop.bitmain.com). The domain was also serving the pages through SSL which further added a belief among some that is was the actual site.
However, upon closer inspection, one would discover that there was a small dot underneath the “n” in the domain. Indeed, it was small enough for one to mistake as a spec on your screen. This did not escape one user who tweeted it to Bitmain.
— Wong Joon Ian (@joonian) January 13, 2018
To which Bitmain was quick to reply and point out the minor imperfection below the domain.
That is a fraudulent website. Please don't fall into the trap like some other buyers. If you look closely the "n" in https://t.co/lsOyycXY5G is not actually the "n" it should be. Unfortunately some buyers have already become victims of this fraud.
— BITMAIN (@BITMAINtech) January 13, 2018
As pointed out by Bitmain, there were quite a few users who fell victim to the scam. Given that each of the miners goes for $2,300, it is quite a bit of money that they were likely to have lost.
It's the n with a comma underneath "ņ" I got burned 2 days ago by them. It was quite the elaborate phish. The website was identical except for the changed n. The site linked over https://t.co/nEJuMPb3l5 but it's down for now.
— Alex Sterling (@sterling_724) January 15, 2018
If one were to add to this the likely demand that there currently is for this mining rig, some may have bought batches. They will have had the hope of flipping the rigs as a reseller.
Given that the site will have used Bitcoin cash as a payment method, these users will also likely struggle to ever recover their payments. Thankfully, Facebook was able to move really quickly on this and close the ads down.
What is clear from this phishing attempt was how sophisticated it appeared to be. Not only did the scammer get an SSL certificate for the site but he also used an advanced domain phishing technique.
Usually, scammers will only change around the letters to make the domain appear legitimate. These are sometimes slightly easier to spot at the user level and the domains are usually already purchased by the company in question (to prevent this).
In this case, the attacker used a sophisticated homograph attack. More particularly, they registered the following domain xn--bitmai-1eb.com. The browser interpreted the “-1eb” as a character from another language alphabet.
Hence, the “n” with the mark below it is most likely from the Cyrillic alphabet and the user’s browsers were unable to detect the homograph attack.
Caution if Key
If this demonstrates anything, it shows the lengths that scammers are willing to go to in order to phish your cryptocurrency. From elaborate DNS hacks to fake mobile applications, scammers are relying on complacent crypto users.
Hence, it is up to as a user to take extra caution whenever visiting popular sites, online wallets or exchanges. Always double check the domain that you are visiting and be extra cautious when asked for any private key information.
Phishing is still a social engineering attack and as such, you remain the weakest link.