Post
Topic
Board Bitcoin Discussion
Re: PSA: **WARNING** ACTIVE PHISHING CAMPAIGN AGAINST BitcoinTalk and BTC-e USERS
by
bitsalame
on 03/05/2017, 04:45:51 UTC
Please stop calling it phishing. That word doesn't mean anything related to IT, email, or hackers. The first rule about naming new "things" is to give it a name that relates to that "thing's" definition. Phishing isn't it. We need to stop using that word.

What are the spoofed emails asking for? How would we know if the email we received was part of this email hack?

Thanks for the PSA!

Technically, it is phishing if spoofed emails are being delivered to users. I'm assuming that these emails are a way to phish your password and/or private keys somehow.

OP, do you have any examples of what these spoofed emails look like?

Ok these are the emails I've been getting:
First Email:
Quote
From: no-reply@localbitcoins.com
To: (address registered ONLY for btc-e)
Subject: [localbitcoins.com #36354 message from administrator.
Body:
Quote
no-replay@localbitcoins.com (recipient address)

Message:

Please check and secure your account.

You can login here https://localbitcoins.com/login/44641

Second Email:
Quote
From: no-reply@localbitcoins.com
To: (address registered ONLY for btc-e)
Subject: [localbitcoins.com #80654 message from administrator.
Body:
Quote
no-replay@localbitcoins.com (recipient address)

Message:

Please check and secure your account.

http://localbitcoins.com/login/51939

Third Email:
Quote
From: Blockchain noreplay@blockc (sic)
To: (address registered ONLY for btc-e)
Subject: Authorize log-in attempt.
Body:
Quote
Authorize log-in attempt (recipient's email address)

An attempt to login to your blockchain.info wallet was made from an unknown browser
Please check and secure your account.

Please Login here ! [Link: http://www.vanityonlinestore.com/mic/a266.php?(email address)

BlockChain Security Team.

Fourth email, in this attempt they were incredibly stupid and also incredibly sneaky at the same time. Even though they didn't even bother spoofing the email address, the phishing link uses unicode (the k is not ascii, it is the russian unicode) if they were clever enough, they could have registered that domain, pay for an ssl certificate and they could have had an indistinguishable blockchain.info spoof with a "green" ssl lock in the browser. But fortunately these guys are a bunch of careless amateurs.
Quote
From: Blockchain info@cafricambi.com
To: (address registered ONLY for btc-e)
Subject: Activate your email address
Body:
Quote
Dear Customer

Actiνate your email address , Unνerified email could susρend your account.

httρs://blocκchain.info/wallet/email/xlK6sVρOHiEρκcd0S8

2017 BLOCKCHAIN LUXEMBOURG S.A. ALL RIGHTS RESERVED

Fifth email:
Quote
From: Franks Keane richardpotter@sky.com (? Seriously?)
To: (address registered ONLY for BitcoinTalk forums up to 2015)
Subject: BTC-e codes for (BitcoinTalk username)
Data:
Quote
Hello (BitcoinTalk Username).

Please review attached your BTC-e codes.

You have to use it within 6 hours.

Password is GLmsWjr50MJ6i. You have to type it to be able to open the document.

Thanks
Franks Keane
(Attached BitcoinTalkUsername.docx)

And lastly, the very first one actually targetted btc-e users, by spoofing btc-e itself.
Quote
From: BTC-e noreplay@test.com
To: (address registered ONLY for BTC-e)
Subject: Please update your email account.
Data:
Quote

This phishing campaign started on Apr 22nd.
I had zero attempts for 4 years since the hack, and that was baffling considering that it was public knowledge that their DB was dumped from these two sites. I guess that the attackers were either saving it for the right moment, or were finally able to sold the DB or they just got tired of keeping it and made it public.