Products
Products
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Cryptocurrency and Exchange Phish Used to Steal User Information

By Aaron Leung, Cofense Phishing Defense Center

With the hype around cryptocurrency, threat actor exploits using this lure was a matter of time. Analysts at the Cofense Phishing Defense Center (PDC) have noticed a steady uptick in crypto-themed phishing campaigns. These campaigns replicate the crypto exchange domains and two-factor authentication (2FA) prompts. Threat actors are preying on emotions by flagging potentially unauthorized withdrawals from individual accounts.

Graphical user interface, application Description automatically generated

Figure 1: Email Body

Figure 1 shows the threat actor’s attempt at replicating an email from CoinSpot. It showcases to the recipient that there is a withdrawal pending confirmation for Bitcoin (BTC). Other than the obvious use of a Yahoo email address by the threat actor, the design of this email is extremely convincing. The style appears authentic, and there is even a Bitcoin address included to add to legitimacy. The user is prompted to either confirm or cancel the withdrawal, but both links have the same SendGrid hyperlink. Once either option is clicked, the user is redirected to hXXps://birragzez[.]netlify[.]app/ which subsequently redirects to the phishing landing page.

Graphical user interface, text, application, email Description automatically generated

Figure 2: Phishing Page

Seen in Figure 2, the domain, coinspotswap[.]com, is quite convincing at first glance, and it even has a digital certificate enabling the lock symbol in the URL address bar. This phishing page is a virtual identical twin to the authentic CoinSpot login page, making it particularly dangerous when displayed to an untrained user. Proper credential input also is required. The level of sophistication the threat actor displayed is reinforced by passwords requirements for upper- and lower-case letters, numbers and special characters.