As bitcoin and other cryptocurrencies become increasingly popular, attackers are taking advantage. This attack leverages bitcoin to fool early adopters of cryptocurrency with BTC Era into paying for what they believe is an investment, but is really a guise to install malware on recipients' devices.

Summary of Attack Target

• Platform: Office 365
• Email Security Bypassed: Office 365
• Payload: Malicious Link
• Technique: Brand Impersonation

Overview of the BTC Era Impersonation Malware Attack

The attack impersonates an automated email from BTC Era, a platform for trading cryptocurrency. However, the email is actually sent from aurinekevinlola@gmail.com. The sender addresses the recipient by name, and the email states that the recipient has been approved to make a BTC transaction, which requires a minimum deposit of $250 to start. Following this is a concealed URL with text that reads “create an account”.

Clicking on the “create an account” link leads to multiple redirects, before landing on “theverifycheck.com” webpage. Upon arriving at this landing page, a pop-up alert requests permission to show notifications from the website. After clicking “Allow” the landing page remains static.

By clicking “Allow”, the user has actually given permission for Adware to run on their device. It only appears that nothing has happened. Going into chrome settings, the user would be able to see that the website is running Malwarebytes, thus rendering their devices as tools to monitor user behavior, as well as launch ads and spam targeting the user.

Why the BTC Era Impersonation Malware Attack is Effective

The attack impersonates an email from BTC Era, where anyone can trade on the platform. This is an effective method to install malware if overlooked by the recipient. The URL is hosted through Constant Contact, an email marketing provider, although the email body implies the link leads to an account setup page through BTC Era. By concealing the URL, the recipient is likely to click on it and see what follows.

Furthermore, utilizing bulk email services is an easy way to deliver a widespread attack to multiple recipients at the same time. It takes less effort than spoofing emails and is more effective in casting a wide net to catch unsuspecting recipients.

Abnormal can catch this attack due to the unusual sender, the redirect links detected, and the clear name impersonation. Combined with the fact that the email contains texts and spaces at a size zero—common among email attackers–we can determine that this email is malicious.

Learn more about how Abnormal classifies malicious emails by seeing a demo today.