| 26 August 2014
Bitcoin is so incredibly hyped that this phishing attack had even non-Bitcoin users actually clicking on the link! The phishing campaign received a 2.7% click rate, much higher than the percentage of Bitcoin users in the general population.
“Cybercriminals are continuing to improve their odds of success by exploiting human psychology as well as technology. Proofpoint’s research team recently observed a startling example of these ‘human factor’ exploit tactics in a campaign nominally targeted at stealing Bitcoin access credentials.
The campaign was sent to a wide range of corporate and non-corporate users – and fully 2.7% of the recipients clicked on the embedded phishing URL, much higher than the percentage of Bitcoin users in the general population. People who had no Bitcoin accounts – no reason to click on the email solicitation – were clicking anyway. It seems likely that attackers were taking advantage of Bitcoin’s recent popularity in the news to engage targeted users’ curiosity.
This disproportionate click rate is particularly concerning in light of recent multi-variant campaigns – as attackers can rotate payloads, targeting clicking users with DDOS malware, remote access Trojans, corporate credential phish, or other threats.
The implications for corporate security teams are significant. Security professionals cannot afford to ignore any phishing emails, even what initially appear to be consumer-oriented campaigns not relevant to professional end users, as such topical phish clearly compels clicks even from users who should have no reason to click.”
Proofpoint Threat Insight Blog Entry
Curiosity Clicks: Using Bitcoin’s hype for phishing fun
The world of the crypto currency Bitcoin stands in stark contrast to that of heavily regulated and policed government backed currencies, online banking and payment services. Unregulated and designed for anonymity, Bitcoin represents an attractive, $6.8 billion target to cyber criminals.
Blockchain.info, the most popular Bitcoin “wallet” web site, reports that since September 2013 the number of “My Wallet” users has grown over 500% to over 2 million users, and daily My Wallet transactions have nearly tripled to over 30,000 transactions per day.
In light of these numbers, phishing attacks targeting Bitcoin users are very much ‘fishing expeditions,’ so attackers have used lists of known and active Bitcoin users or leveraged popular misperceptions about Bitcoin to try and improve their odds of success, and attacks generally take the form of credential phish.
In short, while many people have heard of Bitcoin, few are using it and even fewer have any, which is why we were surprised to recently detect a Bitcoin credential phishing campaign that received a 2.7% click rate, much higher than the percentage of Bitcoin users in the general population.
As part of this campaign Proofpoint detected 12,000 messages sent in two separate waves to over 400 organizations across a range of industries, including higher education, financial services, high tech, media and manufacturing. The broad nature of this campaign was surprising, since most other Bitcoin phishing attacks have targeted known Bitcoin users.
The phishing email follows a fairly straightforward “account warning” template, using the Bitcoin site Blockchain.info instead of the usual bank or online payment service names. The message itself alerts the recipient that there was a failed login attempt originating in China, attempting to create a sense of urgency by capitalizing on popular fears over Chinese hacking, while a unique-looking “case ID” lends verisimilitude to the phishing email.
The phishing email follows a fairly straightforward “account warning” template, using the Bitcoin site Blockchain.info instead of the usual bank or online payment service names.
Over two days, the campaign demonstrated the process of adaptation typical of modern phishing campaigns. While the message and content remained the same, the attacker shifted tactics in their use of URLs:
On the first day the campaign used a single hostname (blockchain [dot] info [dot] case975675675 [dot] xyz) within URLs that were individually randomized with a custom parameter in for each email.
Day two emails replaced the randomized URLs with multiple .com domains (e.g., http://blockchain [dot] info [dot] caseid832482834 [dot] com), generated and registered in advance.
This shift in domains is likely due to the fact that the original .xyz hostname was added to SPAM blocklists shortly after the attack began. The cycling of multiple newly-created domains enables the attackers to improve their ability to evade reputation-based blocking.
The fact that 2.7% of recipients clicked on the link makes it likely that a mix of both Bitcoin and non-Bitcoin users were clicking on this phishing email. Clicking the Reset Password button in the messages sends the recipient to a realistic but fake Blockchain login page:
Any information entered by the user into this page will be captured and immediately sent to the phishing attackers, while the user is sent to a generic login error message. Once equipped with this information, the attackers can login to the user’s real Blockchain.info account and send bitcoin to any wallet they want. Because Bitcoin transactions are by design irreversible and difficult to trace, the victim has almost no recourse for their loss. Moreover, the measures that protect consumers from losses due to online banking fraud do not apply to Bitcoin users, making it unlikely a Bitcoin thief will have to contend with pursuit by banks.
This simple but effective phishing campaign demonstrates that security professionals cannot afford to discount any phishing emails, even consumer-based messages that do not appear to be relevant to their end users, because effective lures attract clicks even from users who should have no reason to click. A more sophisticated, “multi-variant” version of this campaign could have a much greater impact, enabling attackers to target clicking users with malware, Trojans, corporate credential phish, spam or other threats.
But this is what we’re seeing – what has been your experience? Share your experiences in the Comments.
Phishing, Malware, Bitcoin
Are your users Bitcoins safe? Proofpoint researchers recently discovered a large scale phishing campaign that is unusual in its targeting of mainstream corporate email addresses. Surprisingly users clicked even if they didn’t use Bitcoin.