Threat Level: green Handler on Duty: Lorna Hutcheson

SANS ISC: Cryptocurrency-themed phishing emails - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cryptocurrency-themed phishing emails

Introduction

As cryptocurrencies have become more popular, criminals have expanded their operations into this area.  This is most obvious with the rise in cryptocurrency miners (coin miners) during the past year or so.  But In recent months, I've also seem more cryptocurrency-themed phishing emails than before.  I already provided one such example last month.  Today's diary provides another recent example.

The email

These phishing emails attempt to obtain login credentials for bitcoin or other cryptocurrency wallets.  This particular email spoofed blockchain.info.


Shown above:  Screenshot of the phishing email.

Email headers for this example follow:

Received: from cl-t040-461cl.privatedns.com ([70.38.4.91])
        by [removed] for [removed];
        Fri, 08 Jun 2018 11:43:54 +0000 (UTC)
Received: from nobody by cl-t040-461cl.privatedns.com with local (Exim 4.80)
    (envelope-from <nobody@cl-t040-461cl.privatedns.com>)
    id 1fRFYT-0004pr-Sy
    for [removed]; Fri, 08 Jun 2018 07:27:42 -0400
To: [removed]
Subject: Ether Payment Received
MIME-Version: 1.0
Content-Type: text/html; 
FROM: Blockchain  <crypto370@blockchain.info> 
Message-Id: <E1fRFYT-0004pr-Sy@cl-t040-461cl.privatedns.com>
Date: Fri, 08 Jun 2018 07:27:41 -0400

The fake login page was quickly taken off-line; however, I got some screenshots of it before it disappeared.


Shown above:  Screenshot of the fake login page when it was still active.


Shown above:  Nothing on the base page but a rude message.

This particular domain was blockpchain.info (notice the "p" between "block" and "chain").  It was originally registered on 2018-05-17, so it's been around approximately 3 weeks as I write this.

Final words

This was not a particularly clever phishing email.  Most people have some sort of phishing awareness and could have spotted the fake login page URL.  Furthermore, the fake Blockchain page had already been taken off-line by the time I attempted an in-depth investigation.

This is just one more example of how phishing emails remain a constant threat, and the criminals continue to adapting to our changing times.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Brad

306 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!