A new phishing campaign has been hitting customer relationship management (CRM) and bulk email providers to distribute phishing messages targeting cryptocurrency owners.
Dubbed PoisonSeed, the campaign involves a new tactic where the victim is provided with a crypto seed phrase that allows the threat actor to steal their assets. The equivalent of a private key, these phrases can be used to import wallets to new devices.
The attacks have been hitting CRM and bulk email providers such as Mailchimp, Hubspot, Mailgun, SendGrid, and Zoho, targeting users of Coinbase and Ledger, cyber intelligence firm Silent Push says.
For the past month, PoisonSeed has been targeting potential victims with phishing emails claiming that Coinbase was moving to self-custodial wallets, and urging users to transfer their assets to new cryptocurrency wallets.
To evade detection, instead of embedding malicious links in their messages, the attackers included security seed phrases, instructing the recipients to use them when creating new wallets, thus gaining access to the funds.
Coinbase alerted users of such attacks in mid-March, warning them to never enter a recovery phrase received by someone else. Coinbase users are estimated to have lost roughly $46 million worth of cryptocurrency to phishing.
The Coinbase phishing emails, Silent Push says, were sent from a compromised Akamai SendGrid account that was also used to send phishing messages aimed at compromising other organizations’ SendGrid accounts, likely to perpetuate the scam through more bulk email accounts.
Digging deeper, the cybersecurity firm identified 49 unique domains that were connected to the phishing campaign and discovered that the threat actor was also targeting Ledger wallets.
Furthermore, it connected the PoisonSeed campaign to a Mailchimp phishing attack that Troy Hunt, maintainer of the Have I Been Pwned? data breach notification service, fell victim to in late March.
The attack relied on a phishing page hosted on mailchimp-sso [.] com, a domain that has been used for malicious activities since 2022, and which was previously associated with a threat actor tracked as Scattered Spider, UNC3944, Scatter Swine, Starfraud, and Muddled Libra.
Silent Push also discovered a connection with CryptoChameleon, the phishing kit that was used last year in a sophisticated phishing attack targeting both cryptocurrency platforms and FCC employees.
Despite these connections, however, Silent Push believes that PoisonSeed is a different threat: Scattered Spider targets other brands, and, while this could be a fresh phishing kit from CryptoChameleon, the threat actor is known for the use of other phishing methods.
Related: Morphing Meerkat Phishing Kits Target Over 100 Brands
Related: Browser Security Under Siege: The Alarming Rise of AI-Powered Phishing
Related: Scareware Combined With Phishing in Attacks Targeting macOS Users
Related: Microsoft 365 Targeted in New Phishing, Account Takeover Attacks
