A novel phishing scam that tried to trick former customers of Bittrex into parting with credentials to ‘rescue’ outstanding funds deposited with the bankrupt platform has been exposed.
Abnormal Security says it cottoned on to the ploy after it intercepted and analyzed bogus emails that looked convincingly like genuine communications sent by the cryptocurrency exchange to customers after it folded in April.
The fake emails were sent in October, nearly two months after the original August 31st deadline for withdrawal of funds. Curiously, by then just 3% of Bittrex’s 1.6 million customers had taken advantage of the window to withdraw their money – presumably a fact the crooks behind the scam had hoped to capitalize on.
In the bogus emails, former clients of Bittrex were told they had more than $1,000 left in their accounts, and invited them to “simply click on the button below to visit the withdrawal page.”
Of course, doing so would lead the victim to a classic phishing page designed to harvest their personal credentials – which can then be used to facilitate other types of crime including cyber fraud.
“Attackers capitalized upon the tumultuous situation surrounding the bankruptcy of Bittrex, a prominent cryptocurrency exchange, to launch a highly targeted and sophisticated phishing campaign,” said Mike Britton, who authored the Abnormal report.
“Seeking to deceive former Bittrex customers into divulging their credentials, the attackers lured targets with the promise of accessing remaining funds before they were forfeited,” he added.
The campaign appears to have exclusively targeted students, as many users of the Bittrex service before it collapsed were in higher education.
Perhaps not the best catch
There is some irony to this scam, given that the real Bittrex was embroiled in controversy that forced it to cease trading. On April 30th, following accusations from the Securities and Exchange Commission that it was operating as an unregistered securities exchange, the platform shuttered its US operation.
In fairness, the emails it sent to clients the following month appear to have been above board, specifying the August deadline for withdrawal of outstanding funds. However, that so few chose to do so begs the question of whether the subsequent scam had any real hook to it.
“Bittrex sent an email to its entire database informing users that all funds in the exchange had been frozen due to the bankruptcy proceedings,” said Britton. “They further explained that the company was working with the bankruptcy court to ensure customers could withdraw their assets as soon as possible.”
But ex-clients soon took to Reddit to complain about the procedure, reporting that it was “cumbersome and time-consuming.”
By the time of the exchange’s official closure, 77% of its accounts contained balances under $100, leading Britton to conclude that “it’s safe to assume many users decided it wasn't worth the trouble.”
Presumably, the would-be con artists were hoping to target the fraction of account holders who stood to lose more by not extracting their funds.
Decent phishing tackle
In terms of the basic mechanics of the scheme, it appears to have been fairly well thought through by the crooks behind it.
“The perpetrators employed various tactics to make their emails appear genuine – including using a legitimate sender email, masking the phishing link, and incorporating actual information from the bankruptcy proceedings,” said Britton. “The content of each email was identical, but the subject lines and sender display names varied between messages.”
Targets were asked to provide their Bittrex usernames and passwords, which would allow attackers to harvest the login credentials of every individual who entered them on the dummy page.
Given that the internet is rife with password-sharing between accounts by careless users, this could have yielded the criminals a gold mine, as “they would then be able to access any account for which the target used that same password.”
Britton also noted that the lack of obvious grammatical errors or misspelled words – usually a key giveaway in phishing scams – “would make it challenging for the average individual to identify the email as malicious.”
Comments
Your email address will not be published. Required fields are markedmarked