Crypto Wallet Impersonation - Abnormal Security

Crypto Wallet Impersonation

In the midst of uncertainty during this period of time, one thing that has consistently made headlines is high-profile data breaches. With serious attacks continuously underway, there has been a heightened sense of awareness around the vulnerabilities in software applications used on a daily basis. Today’s featured attack leverages this recognition by impersonating an automated email sent to Exodus customers, warning recipients that their personal data has been compromised, but is instead a nefarious impersonation of the crypto wallet.

Quick Summary of Attack

  • Platform: Office 365
  • # Mailboxes: More than 50,000
  • Email Gateway Bypassed: MessageLabs
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

What was the attack?

This attack impersonates an automated message from Exodus by disguising the sender display name as ‘Exodus’, instead originating from <exodus-wallets.io-id255732544@peugeot.com.br>.  

The attackers pose as an automatic email notification stating that there has been a data breach. It states that if the recipient is receiving the message, their information has already been compromised. The message calls the recipient to update their 12-word phrase and follow the provided instructions to set up a new PIN.

Payload: After the recipient clicks the “Update” button, they are redirected to an impersonated Exodus Phrase update page. The recipient is expected to enter their 12-word phrase or password. If the recipient falls for the scam, the attackers gain access to the victim’s crypto account and other financially sensitive information.

Why did this attack bypass existing email security?

Many existing security measures do not properly analyze attack language which is pervasive in over 70% of attacks. Abnormal Security prevented this attack by recognizing a number of signals, that when combined together led our detection system to flag the email as malicious. These signals include the failed email authentication, a suspicious link embedded in the “Update” button, and the email being sent from a sender not usually seen for this particular organization.

Related content