More than 400 organizations were recently targeted by a Bitcoin phishing campaign that intended to con users into disclosing their wallet passwords.
According to Proofpoint, a California-based email security firm that recapped the campaign Wednesday, 12,000 messages were recently sent in two waves to a handful of representatives across the higher education, financial services, high tech, media and manufacturing industry.
The messages purport to come from Blockchain.info, the currency’s most popular transaction database, and warn the user that a hijacker was recently spotted trying to access their account.
The alert gives details surrounding the alleged intrusion, including the date, IP address and location of the suspicious sign-in. Likely, in hopes of playing up to recent Chinese hacking stories, the location of the sign-in attempt is labeled as being from “Sichuan, GS, China.”
Each message also has its own “CASE ID,” in hopes of tricking the user into thinking its legitimate.
As Proofpoint points out, the campaign adapted over the course of two days, changing randomized URLs to actual .com domains the attackers had generated in advance.
“This shift in domains is likely due to the fact that the original .xyz hostname was added to SPAM blocklists shortly after the attack began,” the company points out, adding that by cycling through domains, the attackers help stave off their chances of getting caught.
If users click through the “Reset Password” button, they’re led to a fake, yet authentic-looking Blockchain site. Not surprisingly, any information entered here, like a users’ username or password, will get fired off to the attackers while users will get forwarded to a “generic login error message.” From there attackers would be free to make off with users’ Bitcoin.
Blockchain is far and away the most popular Bitcoin wallet service. The site boasts just north of 2 million users – up from 400,000 in September 2013 – and sees upwards to 60,000 transactions a day.
2.7 percent of the campaign’s recipients – likely Bitcoin users and nonusers – opened the messages. And while only one percent of the world’s population uses the crypto-currency, the figure is expected to rise and with it, experts posit, campaigns like these will continue to rope in more victims going forward.
“As Bitcoin gains popularity, we believe that attacks will increase and become more sophisticated,” Kevin Epstein, VP of the firm’s Advanced Security and Governance department.
“The most recent campaign was sent to a wide range of corporate and non-corporate users. People who had no Bitcoin accounts – no reason to click on the email solicitation – were clicking anyways,” Epstein said Wednesday.
Bitcoin searches on Yahoo and Bing were poisoned last summer as attackers tried to trick crypto-currency users into visiting MtPox.com – a domain attackers set up that looked almost identical to MtGox.com, the since-shuttered Bitcoin exchange. Similar to the phony Blockchain site, the fake MtGox.com site tried to get users to enter their name and password.