Despite cryptocurrency occupying a “niche” role at best for the public at large, a Bitcoin-baited phish has surprisingly garnered a big response.
“The world of the cryptocurrency Bitcoin stands in stark contrast to that of heavily regulated and policed government backed currencies, online banking and payment services,” Proofpoint said. “Unregulated and designed for anonymity, Bitcoin represents an attractive, $6.8 billion target to cyber-criminals.”
According to Proofpoint, the campaign was looking to capture Bitcoin wallet user IDs and passwords, and received a 2.7% click rate, much higher than the percentage of Bitcoin users in the general population.
“While many people have heard of Bitcoin, few are using it and even fewer have any, which is why we were surprised,” the researchers said in a blog.
Most other Bitcoin phishing attacks have targeted known Bitcoin users, but this campaign was much broader: Proofpoint detected 12,000 messages sent in two separate waves to more than 400 organizations across a range of industries, including higher education, financial services, high tech, media and manufacturing.
The security firm laid out the gambit: “The phishing email follows a fairly straightforward ‘account warning’ template, using the Bitcoin site Blockchain.info instead of the usual bank or online payment service names. The message itself alerts the recipient that there was a failed login attempt originating in China, attempting to create a sense of urgency by capitalizing on popular fears over Chinese hacking, while a unique-looking ‘case ID’ lends verisimilitude to the phishing email.”
Well-done or not, the question remains—why did so many people click the link? Curiosity, perhaps?
Bitcoin wallet website Blockchain.info has said that since September 2013 the number of “My Wallet” users has grown more than 500%--and daily My Wallet transactions have nearly tripled to over 30,000 transactions per day. However, despite that growth, the raw number tells the tale: it has just over 2 million users, hardly a broad canvas.
“In light of these numbers, phishing attacks targeting Bitcoin users are very much ‘fishing expeditions,’ so attackers have used lists of known and active Bitcoin users or leveraged popular misperceptions about Bitcoin to try and improve their odds of success, and attacks generally take the form of credential phish,” Proofpoint said. It added, “This simple but effective phishing campaign demonstrates that security professionals cannot afford to discount any phishing emails, even consumer-based messages that do not appear to be relevant to their end users, because effective lures attract clicks even from users who should have no reason to click.”
The firm also pointed out the obvious—anything other than a phishing campaign could have delivered a big blow. A more sophisticated, “multi-variant” version of this campaign could have a much greater impact, enabling attackers to target clicking users with malware, Trojans, corporate credential phish, spam or other threats.
Those actual Bitcoin users who fell for the bait will see their own share of hurt however. “Bitcoin transactions are by design irreversible and difficult to trace, the victim has almost no recourse for their loss,” Proofpoint said. “Moreover, the measures that protect consumers from losses due to online banking fraud do not apply to Bitcoin users, making it unlikely a Bitcoin thief will have to contend with pursuit by banks.”