Last Updated: 2018-06-08 15:49:26 UTC
by Brad Duncan (Version: 1)
As cryptocurrencies have become more popular, criminals have expanded their operations into this area. This is most obvious with the rise in cryptocurrency miners (coin miners) during the past year or so. But In recent months, I've also seem more cryptocurrency-themed phishing emails than before. I already provided one such example last month. Today's diary provides another recent example.
These phishing emails attempt to obtain login credentials for bitcoin or other cryptocurrency wallets. This particular email spoofed blockchain.info.
Email headers for this example follow:
Received: from cl-t040-461cl.privatedns.com ([220.127.116.11])
by [removed] for [removed];
Fri, 08 Jun 2018 11:43:54 +0000 (UTC)
Received: from nobody by cl-t040-461cl.privatedns.com with local (Exim 4.80)
for [removed]; Fri, 08 Jun 2018 07:27:42 -0400
Subject: Ether Payment Received
FROM: Blockchain <firstname.lastname@example.org>
Date: Fri, 08 Jun 2018 07:27:41 -0400
The fake login page was quickly taken off-line; however, I got some screenshots of it before it disappeared.
This particular domain was blockpchain.info (notice the "p" between "block" and "chain"). It was originally registered on 2018-05-17, so it's been around approximately 3 weeks as I write this.
This was not a particularly clever phishing email. Most people have some sort of phishing awareness and could have spotted the fake login page URL. Furthermore, the fake Blockchain page had already been taken off-line by the time I attempted an in-depth investigation.
This is just one more example of how phishing emails remain a constant threat, and the criminals continue to adapting to our changing times.
brad [at] malware-traffic-analysis.net