Key Takeaways
- Proofpoint researchers have observed email fraud campaigns that send functioning sets of login credentials to fake cryptocurrency exchange platforms.
- Proofpoint researchers explored one of the platforms in depth and determined it is well crafted, appearing fully functional to victims.
- Victims are tempted by the promise of a considerable amount of cryptocurrency. Cashing out the full balance, however, requires the victim to first deposit some Bitcoin to the platform, which is the point of the scheme.
- The campaigns are not targeting any specific vertical or geography and are instead being distributed worldwide.
Overview
Proofpoint researchers have identified an intriguing Advance Fee Fraud scheme sending low volume email campaigns and employing advanced social engineering tactics to swindle unsuspecting victims out of Bitcoin. This scheme spreads credentials to alleged private Bitcoin investment platforms and lures victims with the promise of withdrawing hundreds of thousands of dollars worth of cryptocurrency from an already established account on the platform(s).
While being very similar to traditional Advance Fee Fraud schemes, this set of campaigns is much more sophisticated from a technical standpoint, is fully automated, and requires substantial victim interaction. The use of cryptocurrency, in this case, is also notable for the following reasons:
- It provides anonymity for both the attacker and the victim. Specifically for the victim, they may find it appealing that the money would be acquired anonymously and tax-free.
- It indicates that the threat actor is targeting individuals that are somewhat technically savvy as they will need to be comfortable handling Bitcoin and a digital wallet.
Campaign Details
Proofpoint researchers detected the first of these campaigns in May 2021 using a coins45[.]com landing page while the most recent version started in July 2021 and directs potential victims to securecoins[.]net.
According to Proofpoint visibility, each of the email campaigns has been sent to anywhere from tens to hundreds of recipients around the globe, and emails from the same campaign contain the same credential pairs—user id and password—for all recipients. It appears that multiple people can log in with the same user id and password if they log in from a different IP address and browser. However, once they change the password, as detailed in the next section, and add in a phone number, the account becomes unique, and victims will not see any trace of other victims’ activities.
A Walkthrough of the Scheme
This cluster of Advance Fee Fraud activity begins like any other type of business email compromise, with an email designed to get the attention of the recipient. The emails all appear similar to the one shown in Figure 1, which attempts to lure victims with the promise of a hefty amount of money. In this case, that amount is 28.85 Bitcoin or about $1,350,119 USD (as of 26 August 2021).
Figure 1. Sample of the initial email sent to intended victims.
Step 1 - Logging In
Once a victim is successfully enticed by the monetary promise in the email, they will be tempted to try to log in to the noted Bitcoin wallet website using the provided credentials. The customer ID and password work to access the site; however, as soon as a victim logs in, they are prompted to change the password and add a recovery phone number for security (Figure 2).
Figure 2. Change password and enable multi-factor authentication prompt.
This step may be intended to provide a false sense of security to the victim as they could see it as a sign of legitimacy given the emphasis on protecting the account via multi-factor authentication, which is considered a security best practice.
Once the victim follows through with this step, being guided to take over the account, they receive an automated call to the phone number they provided, giving the one-time password (OTP) to enable the additional account security. The OTP codes are sent from one of two numbers: +44 2045 383250 (UK number) or +1 (201) 379 6348 (US number).
After inputting the OTP, the website confirms the account has been secured as seen in Figure 3.
Figure 3. Confirmation of account security after the victim has changed the password and established multi-factor authentication via phone.
To provide even more reassurance to the victim, the account secured confirmation notes that the only way to get in touch with the platform support service is via the internal messaging system through the now secured account. Great! Whoever was the owner of the account prior to the victim now has no control over it. The victim can now go ahead and try to empty those 28.85 BTC into their wallet.
Step 2 – Inside the Platform
Navigating around the account, a victim can find a couple of messages from the alleged “previous owner” of the account, Figures 4 through 6.
Figure 4.
Figure 5.
Figure 6.
The information provided in the messages indicates that this platform is completely anonymous, making it the perfect place to take some BTC from. The user account area shows there is no need to enter any name or address. The victim is only allowed to enter a phone number and an optional email address. The page also notes the last time the victim logged in and mentions that the IP address is never stored, putting a technically savvy victim even more at ease.
Step 3 – Withdrawing the Funds
As depicted in Figure 7, the account shows some BTC has been deposited and withdrawn in the past, making it appear as if the account is functional. Navigating to the “Withdraw” entry in the menu, a victim can try to transfer some funds out of the platform; however, the platform states that the first transfer out of any portfolio must be 0.0001 BTC (about $4.75 USD as of 26 August 2021) to ensure everything works as expected from both sender/receiver ends.
As the victim proceeds and submits a transfer request, the transfer appears in the queue. After roughly 40 minutes, the transfer option appears to work! The victim starts to receive confirmations of the transfer along with the amount appearing in their personal wallet. The platform also appears to be updated in real time (Figure 7).