Constantly rising in popularity, cryptocurrencies are making the headlines so often you’d think they were celebrities. But along with their growth in popularity and use, we are seeing cryptocurrency phishing attacks getting more popular as well. As celebrities attract stalkers, so too are cryptocurrencies attracting cybercriminals.
New cryptocurrency phishing attacks use old scam tactic
Emails promising get-rich-quick schemes, like the one below, have been around for decades. It is not surprising that the theme in many of these emails has shifted to cryptocurrencies. It might not sound too far-fetched since we constantly hear real stories about people becoming millionaires overnight by investing in them.
In this example, the malicious actor is using a technique discussed in more depth here.
This message can seem laughably obvious to many, but its sheer carpet-bombing volume makes it dangerously effective. Utilizing legitimate service notifications, these messages get past most spam filters and land straight in their target’s inboxes.
The link leads to a site promising large returns for small fees. But the real “fee” here would entail stealing the victim’s banking information along with the transaction.
The Pump and Dump scheme
“Pump and dump” schemes are not uncommon with cryptocurrency email scams, as the volatility in the unregulated cryptocurrency market creates great opportunity and incentive to do so. Schemes like these are common in social media and investment forums – but have also found their place in email messaging. Values of certain cryptocurrencies with low market caps can be artificially inflated by, for example, a fraudster impersonating a large company and then endorsing the fringe cryptocurrency. When the price rises, the malicious actor sells their currency, turning a tidy profit and often leaving duped investors at a loss.
In addition to these “get rich quick!” campaigns, we are beginning to see well-crafted phishing campaigns going after their recipient’s cryptocurrency wallets and marketplace accounts, or spreading malware with crypto-themed attacks.
In this example, we see an approach common in banking phishing and vishing, where the victim is lead to believe they have unknowingly authorized a large payment. The trick is to rile up the recipient, getting them to react hastily. In vishing, a phone number is provided through which the victim could cancel the payment, but in reality it is used to gather banking and personal information from them. In this example, the link leads to a page that gathers such sensitive information. A known brand is used here to increase the feeling of legitimacy.
Here is an example threat in which the attacker impersonates a Binance employee. Binance is a widely used legitimate cryptocurrency exchange. The email originates from a domain bought specifically for the campaign, which very closely resembles the real Binance domain, making this a so-called flash attack. The mix of impersonation, urgency, and a good story might lure an unsuspecting victim into giving up their credentials and other personal information. As the cryptocurrency market is known to be extremely volatile, urgency is very efficient here.
This threat also uses an uncommon technique called “content bloating,” in which the email body is bloated with high amounts of unnecessary content. This tactic is intended to trick email filters. It makes it hard for them to find similarities with other messages and pushes them to quit before being able to analyze the relevant content.
How to stay off the hook
We’ve now covered quite a few techniques malicious actors use within the cryptocurrency theme. Here’s some tips on how to stay safe:
Be realistic. A classic tactic of attackers is to promise you free gold and fast fortune. Remember that an out-of-the-blue offer that seems too good to be true, usually is.
Take your time. Urgency is the most common emotion social engineers go after. They try to get you to think that there is limited time to act before something bad happens. It’s a major red flag.
Look closely. Remember to check the sender address when you receive an email. The address might contain small changes such as changing the domain from .com to .net or adding something extra to the name.
Beware of a fake badge. Social engineers impersonate recognizable brands and names because major companies have committed huge resources into gaining your trust. Not everyone in your inbox is who they say they are.
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.