Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Embark on Bitcoin Phishing Expedition

Attackers are playing on the hype around the crypto-currency Bitcoin to cast a wider phishing net looking for victims. It’s not just bank credentials cyber-criminals are looking for.

Attackers are playing on the hype around the crypto-currency Bitcoin to cast a wider phishing net looking for victims. It’s not just bank credentials cyber-criminals are looking for.

Enterprise information security firm Proofpoint detected 12,000 messages sent in two separate waves trying to trick victims into handing over their wallet credentials on the Blockchain.info site, the company said in a blog post Wednesday. With these credentials, attackers would be able to transfer out all the Bitcoins in the victim’s wallet into another. The surprising part about this campaign was the fact that the Bitcoin credential phishing campaign received a 2.7 percent click rate, which is much higher than the percentage of Bitcoin users in the general population, Proofpoint found.

PhishingThis suggests attackers are sending these phishing emails to people who don’t have Bitcoins, and “a mix of both Bitcoin and non-Bitcoin users were clicking,” Proofpoint said.

Past Bitcoin-focused attacks relied on lists of known and active users. This campaign sent phishing emails over two days to 400 companies, which spanned across industry sectors, including higher education, financial services, high tech, media, and manufacturing, Proofpoint found.

“The broad nature of this campaign was surprising, since most other Bitcoin phishing attacks have targeted known Bitcoin users,” Proofpoint said.

While 12,000 sounds like a lot, it’s worth remembering that attackers generally send out millions of messages during the course of a campaign. It is likely that this was a trial run, with attackers experimenting with ways to find Bitcoin users without relying on user lists. As phishing campaigns go, this appears to be fairly simple and low-volume.

Attackers initially used a single hostname in each email, but customized the URL for each victim by including a unique parameter, according to Proofpoint’s blog post. The original hostname was added to a spam blocklist fairly quickly, and attackers switched to randomized URLs from multiple domains in the second wave. This is another clue this could have just been a trial run for inexperienced criminals because the initial attack method was easy to block.

Security professionals cannot discount any phishing emails, even if the contents don’t appear to be relevant to their users, Proofpoint warned. The fact that so many non-Bitcoin users clicked on the links is worrying, since a more sophisticated “multi-variant” version of this campaign could have downloaded malware onto victim computers, or stolen credentials for other accounts.

“Effective lures attract clicks even from users who should have no reason to click,” Proofpoint said.

Advertisement. Scroll to continue reading.

As for the email, it followed the familiar “account warning” template used for banks and online payment services, with a message that there was a failed login attempt originating from China, Proofpoint said. Instead of an actual bank name, the email used the Blockchain.info name. A unique-looking Case ID helped make the email look real. If the user clicked on the “Reset Password” button in the message, the user was directed to a realistic-looking, but fake, Blockchain login page. The credentials entered on this page are captured and sent to attackers while users are shown a generic error message. Attackers are then able to login and steal the Bitcoins.

It’s worth remembering that even though Bitcoin is an estimated $6.8 billion target for cybercriminals, the number of people who have the currency and are actually using it are very small compared to the overall population.  The small number of users doesn’t appear to be deterring cyber-criminals, however.

“It would only take hitting one drug dealer’s wallet to make it all worthwhile,” Andrew Conway, a researcher from Cloudmark, told SecurityWeek.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.