Abnormal Attack Stories: Bitcoin Malware - Abnormal Security

Abnormal Attack Stories: Bitcoin Malware

In this attack, malicious actors impersonate a Bitcoin service, BTC Era, to gain access to recipients’ devices.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Office 365
Mailboxes: 15,000 to 50,000
Payload: Malicious Link
Technique: Brand Impersonation

What was the attack?

Setup: This attack leverages Bitcoin to fool adopters of cryptocurrency into paying for what they believe is an investment, but is really a guise to install malware on recipients devices.

Email Attack: The attack impersonates an automated email from BTC Era, a platform for trading cyptocurrency. However the email is sent from aurinekevinlola@gmail.com. The sender addresses the recipient by name, and the details of the email include that the recipient has been approved to make a BTC transaction which requires a minimum deposit of $250 to start. Following this is a concealed URL with text that reads “create an account”

Payload: Clicking on the “create account” link leads to multiple redirects, before landing on “theverifycheck.com” webpage. Upon arriving at this landing page, a pop-up alert requests permission to show notifications from the website. After clicking  “Allow” the landing page remains static.

Result: By clicking “Allow”, the user has actually given permission for Adware to run on their device. It only appears that nothing has happened. Going into chrome settings, the user would be able to see that the website is running Malwarebytes. Thus rendering their devices as tools to monitor user behavior, and launch ads and spam targeting the user. 

Why is this attack effective?

Brand Impersonation: The attack impersonates an email from BTC Era, where anyone can trade on the platform. This is an effective method to install malware if overlooked by the recipient. 

Concealed URL: The URL is concealed in text via hyperlink. The URL is hosted through Constant Contact, an email marketing provider, although the email body implies the link leads to an account setup page through BTC Era. By concealing the URL, the recipient is likely to click on it and see what follows. 

Marketing Campaign / Email Hosting Service: Utilizing bulk email services is an easy way to deliver a widespread attack to multiple recipients at the same time. It takes less effort than spoofing emails and is more effective in casting a wide net to catch unsuspecting recipients.

Related content