Attackers are playing on the hype around the crypto-currency Bitcoin to cast a wider phishing net looking for victims. It’s not just bank credentials cyber-criminals are looking for.
Enterprise information security firm Proofpoint detected 12,000 messages sent in two separate waves trying to trick victims into handing over their wallet credentials on the Blockchain.info site, the company said in a blog post Wednesday. With these credentials, attackers would be able to transfer out all the Bitcoins in the victim’s wallet into another. The surprising part about this campaign was the fact that the Bitcoin credential phishing campaign received a 2.7 percent click rate, which is much higher than the percentage of Bitcoin users in the general population, Proofpoint found.
This suggests attackers are sending these phishing emails to people who don’t have Bitcoins, and “a mix of both Bitcoin and non-Bitcoin users were clicking,” Proofpoint said.
Past Bitcoin-focused attacks relied on lists of known and active users. This campaign sent phishing emails over two days to 400 companies, which spanned across industry sectors, including higher education, financial services, high tech, media, and manufacturing, Proofpoint found.
“The broad nature of this campaign was surprising, since most other Bitcoin phishing attacks have targeted known Bitcoin users,” Proofpoint said.
While 12,000 sounds like a lot, it’s worth remembering that attackers generally send out millions of messages during the course of a campaign. It is likely that this was a trial run, with attackers experimenting with ways to find Bitcoin users without relying on user lists. As phishing campaigns go, this appears to be fairly simple and low-volume.
Attackers initially used a single hostname in each email, but customized the URL for each victim by including a unique parameter, according to Proofpoint’s blog post. The original hostname was added to a spam blocklist fairly quickly, and attackers switched to randomized URLs from multiple domains in the second wave. This is another clue this could have just been a trial run for inexperienced criminals because the initial attack method was easy to block.
Security professionals cannot discount any phishing emails, even if the contents don’t appear to be relevant to their users, Proofpoint warned. The fact that so many non-Bitcoin users clicked on the links is worrying, since a more sophisticated “multi-variant” version of this campaign could have downloaded malware onto victim computers, or stolen credentials for other accounts.
“Effective lures attract clicks even from users who should have no reason to click,” Proofpoint said.
As for the email, it followed the familiar “account warning” template used for banks and online payment services, with a message that there was a failed login attempt originating from China, Proofpoint said. Instead of an actual bank name, the email used the Blockchain.info name. A unique-looking Case ID helped make the email look real. If the user clicked on the “Reset Password” button in the message, the user was directed to a realistic-looking, but fake, Blockchain login page. The credentials entered on this page are captured and sent to attackers while users are shown a generic error message. Attackers are then able to login and steal the Bitcoins.
It’s worth remembering that even though Bitcoin is an estimated $6.8 billion target for cybercriminals, the number of people who have the currency and are actually using it are very small compared to the overall population. The small number of users doesn’t appear to be deterring cyber-criminals, however.
“It would only take hitting one drug dealer’s wallet to make it all worthwhile,” Andrew Conway, a researcher from Cloudmark, told SecurityWeek.