The phish mail claims to come from Erwann Genson who has trouble accessing his wallet. He thanks 'David' for offering to help, and includes a shortened link to his wallet.dat and password. "If you can load the key please send the BTCs to 1DxFvJ6up9jXAZ9pkUmWVdiMTWvsjgB5Ea," it exhorts.
There's a thread in the Bitcoin Forum from people who have received this mail. "Looks legit, right?" says mkjohnson; adding "WARNING... The 'backup.zip' file contains a 'password.txt' file of 423.4kB and it is NOT a text file." jchysk comments, "Yeah, I got the same email... The password.txt is a UPX compressed .exe and decompressed it's a PE." "It's a SCAM!!" warns devthedev. "The zip file contains spyware and you can lose all your BTCs, potentially. I got the exact same worded email (just that my name really is David)."
Now LogRhythm has analyzed the campaign in greater detail. The first big giveaway comes in the header – it is mailed via amazonses.com. Amazonses.com is Amazon's simple email services (the SES bit) and is used for inexpensive mass mailings. LogRhythm believes the scammers got hold of the target email addresses "by way of scraping popular BTC sites and leaks for e-mail addresses."
The shortened URL contained in the email, supposedly to Erwann's wallet and password, goes to skodegouw dot nl, and downloads a backup.zip file. "Analyzing the metrics around this short URL," says LogRhythm's Greg Foss, "show that just under two thousand users have clicked on the link since the malware campaign was launched at around 4pm on January 6th."
Backup.zip contains a number of files that work together. Only two, called Passwords.txt.lnk and wallet.dat are visible unless the user has set 'show hidden files.' The attack assumes that people will click on Passwords.txt.lnk first; but this is actually a packed executable, which "appears to show a financial transaction of some kind, most likely attempting to siphon off the user’s BTC to their accounts."
When Logrhythm checked the Backup.zip against VirusTotal yesterday, only 8 out of 48 AV engines detected it as malware. When checked earlier today, this had risen to 23 out of 48, demonstrating the importance and value in keeping AV defenses up to date. LogRhythm is continuing its analysis to locate the IP addresses associated with the malware, and expects to present more information at a later date.
Meanwhile, good advice for bitcoin users comes from DavidT in the Bitcoin Forum: "NEVER EVER trust somebody you don't know about with your bitcoins, or attempt to use 'their wallet', it's only going to be bad for you..."