Bitcoin phishing campaign targets media, tech, education industries

A phishing campaign jumping on the Bitcoin bandwagon is targeting organizations within the media, high-tech, education, finance and manufacturing industries.

Screen Shot 2014-08-21 at 10.54.30

A Bitcoin-based phishing campaign has targeted over 400 organizations with the intention of stealing cryptocurrency wallet passwords.

California-based security company Proofpoint discussed the campaign on Wednesday. In a blog post, the security team said that due to its unregulated nature -- and there being no backing by a central financial authority -- cryptocurrency represents a "$6.8 billion" opportunity for cybercriminals, and the latest campaign underscores the popularity of this target.

Bitcoin is the most well-known variation of cryptocurrency, but has been hit hard by a number of recent cyberattacks which have taken down trading posts including the once-dominant exchange Mt. Gox . Due to security lapses and alleged poor accountancy practices, Mt. Gox was forced to file for bankruptcy after approximately 650,000BTC went missing.

The most popular Bitcoin wallet website reports that since September last year, the number of wallet users has grown by 500 percent. In total, there are over two million cryptocurrency wallet holders hosted through the service, and daily transactions have tripled to over 30,000 per day.

In light of these numbers and a time in which one Bitcoin is worth $519 -- at the time of writing -- it is unsurprising that gaining access to these wallets is now a lucrative target within cybercrime.

According to Proofpoint, a Bitcoin credential phishing campaign is attempting to capitalize on the unregulated industry, and involves at least 12,000 messages being sent in two waves to over 400 organizations across a range of industries, including higher education, finance, media, technology and manufacturing.

Phishing emails come from a source pretending to be Blockchain, and use a straightforward "account warning" template. The message states that a hijacker was recently detected trying to access their account from China, which Proofpoint says "creates a sense of urgency by capitalizing on popular fears over Chinese hacking," and also uses a unique-looking "case ID" to make the message feel legitimate.

The date of the apparent wallet infiltration attempt, IP address and location are all included within the phishing email. A 'reset password' link then prompts the user to click and change their password -- but the malicious website masquerading as linked to via the email simply records the victim's information. When a victim attempts to change their wallet password, they are greeted with a "generic login error message," while their account information wings its way toward the cybercriminals.

Victim data can then be used to access their wallets, and Bitcoin can then be transferred to whatever wallets the hijackers choose.

In total, the campaign received a 2.7 percent click rate.

Screen Shot 2014-08-21 at 11.01.44

The security team note that the campaign changed over the course of two days, with randomized URLs and .com domains registered in advance being used for different waves of emails. Proofpoint believes this was done in order to circumvent spam blocklists that banned the original .xyz hostname shortly after the campaign began.

"This simple but effective phishing campaign demonstrates that security professionals cannot afford to discount any phishing emails, even consumer-based messages that do not appear to be relevant to their end users, because effective lures attract clicks even from users who should have no reason to click," the Proofpoint team says. "A more sophisticated, "multi-variant" version of this campaign could have a much greater impact, enabling attackers to target clicking users with malware, Trojans, corporate credential phish, spam or other threats."