The world of the crypto currency Bitcoin stands in stark contrast to that of heavily regulated and policed government backed currencies, online banking and payment services. Unregulated and designed for anonymity, Bitcoin represents an attractive, $6.8 billion target to cyber criminals.
Blockchain.info, the most popular Bitcoin “wallet” web site, reports that since September 2013, the number of “My Wallet” users has grown over 500% to over 2 million users, and daily My Wallet transactions have nearly tripled to over 30,000 transactions per day.
In light of these numbers, phishing attacks targeting Bitcoin users are very much ‘fishing expeditions,’ so attackers have used lists of known and active Bitcoin users or leveraged popular misperceptions about Bitcoin to try and improve their odds of success. Attacks generally take the form of credential phish.
In short, while many people have heard of Bitcoin, few are using it, and even fewer have any of them, which is why we were surprised to recently detect a Bitcoin credential phishing campaign that received a 2.7% click rate, much higher than the percentage of Bitcoin users in the general population.
As part of this campaign, Proofpoint detected 12,000 messages sent in two separate waves to over 400 organizations across a range of industries, including higher education, financial services, high tech, media and manufacturing. The broad nature of this campaign was surprising since most other Bitcoin phishing attacks have targeted known Bitcoin users.
The phishing email follows a fairly straightforward “account warning” template using the Bitcoin site Blockchain.info instead of the usual bank or online payment service names. The message itself alerts the recipient that there was a failed login attempt originating in China, attempting to create a sense of urgency by capitalizing on popular fears over Chinese hacking, while a unique-looking “case ID” lends verisimilitude to the phishing email.
The phishing email follows a fairly straightforward “account warning” template using the Bitcoin site Blockchain.info instead of the usual bank or online payment service names.
Over two days, the campaign demonstrated the process of adaptation typical of modern phishing campaigns. While the message and content remained the same, the attacker shifted tactics in their use of URLs:
– On the first day, the campaign used a single hostname (blockchain [dot] info [dot] case975675675 [dot] xyz) in the URLs that were individually randomized with a custom parameter for each email.
– Day two: The emails replaced the randomized URLs with multiple .com domains (e.g., http://blockchain [dot] info [dot] caseid832482834 [dot] com), which were generated and registered in advance.
– This shift in domains is likely due to the fact that the original .xyz hostname was added to SPAM blocklists shortly after the attack began. The cycling of multiple newly-created domains enables the attackers to improve their ability to evade reputation-based blocking.
The fact that 2.7% of recipients clicked on the link makes it likely that a mix of both Bitcoin and non-Bitcoin users were clicking on this phishing email. Clicking the Reset Password button in the messages sends the recipient to a realistic but fake Blockchain login page:
Any information entered by the user into this page will be captured and immediately sent to the phishing attackers, while the user is sent to a generic login error message. Once equipped with this information, the attackers can log in to the user’s real Blockchain.info account and send Bitcoins to any wallet they want. Because Bitcoin transactions are by design irreversible and difficult to trace, the victim has almost no recourse for their loss. Moreover, the measures that protect consumers from losses due to online banking fraud do not apply to Bitcoin users, making it unlikely a Bitcoin thief will have to contend with pursuit by banks.
This simple but effective phishing campaign demonstrates that security professionals cannot afford to discount any phishing emails, even consumer-based messages that do not appear to be relevant to their end-users, because effective lures attract clicks even from users who should have no reason to click. A more sophisticated, “multi-variant” version of this campaign could have a much greater impact, enabling attackers to target users with malware, Trojans, corporate credential phish, spam or other threats.
But this is what we’re seeing – what has been your experience? Share your experiences in the Comments.
By Kevin Epstein, Vice President of Advanced Security, Proofpoint
About Proofpoint, Inc.
Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider that focuses on cloud-based solutions for threat protection, compliance, archiving & governance, and secure communications. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system to protect against phishing, malware and spam, safeguard privacy, encrypt sensitive information, and archive and govern messages and critical enterprise information. More information is available at www.proofpoint.com.