Malicious Actors Impersonating Bitcoin Platform to Launch Malware Attacks

Cyber-criminals have been impersonating the well-known Bitcoin BTC ERA trading platform in order to infect users of the online currency with malware, according to new research from Abnormal Security.

The cybersecurity firm found that malicious actors have been sending emails purporting to be from BTC Era that encourage users of Bitcoin to pay for what they believe is an investment.

The automated email addresses the recipient by name and says they have been approved to make a BTC transaction that requires a minimum deposit of $250 to start. The message includes a concealed URL with text that reads “create an account.” Once this link is clicked, there are multiple redirects before landing on the theverifycheck.com webpage, and once on the landing page a pop-up alert requests permission to show notifications from the website.

If the user clicks allow, it gives permission for Adware to run on their device. Although it appears as though nothing has happened, the website is in fact enabling the user’s behavior to be monitored through malware and for ads and spam to be launched that target them.

Abnormal Security added that the scammers utilized the email marketing provider, Constant Contact, which enabled them to deliver a widespread attack to multiple recipients at the same time. It noted that this “takes less effort than spoofing emails and is more effective in casting a wide net to catch unsuspecting recipients.”

Ken Liao, vice-president of cybersecurity strategy at Abnormal Security, commented: “We have seen that over the last few months the weekly volume of attacks impersonating Bitcoin platforms has remained relatively constant. We saw an increased rate of these impersonations between the end of March through the beginning of May, though.”

He added: “We would advise organizations and their employees to double check the senders and addresses for messages to ensure that they’re coming from legitimate sources. Don’t just trust the display name. In addition, we would advise everyone to always double check the webpage’s URL before signing in.

“Attackers will often hide malicious links in redirects or host them on separate websites that can be reached by safe links. This allows them to bypass link scanning within emails by traditional email security solutions. If the URL looks suspicious, don’t enter your credentials and always verify with your company’s IT department.”