By: Kahng An, Intelligence Team
Recently, the Cofense Intelligence team reported on an Internal Revenue Service (IRS)-spoofing email that claims to offer a $5,000 tax refund through an Elon Musk cryptocurrency initiative. This email instead redirects to a credential phishing page and a fake cryptocurrency market that is used to steal personally identifiable information (PII) and Bitcoin. This campaign is notable for its extensive amount of stolen PII, which would allow threat actors to easily steal identities and pivot to social engineering attacks on a victim’s financial, government, or online service accounts. This report is a follow-up from a prior report, From Tax Refund to Total Compromise: IRS-Themed Phishing Email Drives Full-Stack Financial Fraud, that covered this campaign at a high level. This report will focus more heavily on details regarding the full extent of the cryptocurrency scam website and how the threat actors are able to use stolen PII from this campaign to pivot towards other tactics.
Key Takeaways
- This IRS-spoofing campaign delivers a credential phishing and cryptocurrency scam site that purports to be a tax refund benefit created by Elon Musk.
- The campaign features IRS-branded image assets and various photos of Elon Musk and a supposed message written by Elon Musk as part of this lure.
- The threat actors attempt to steal sensitive PII, including mailing address, employment information, government-issued photo ID, and bank account and routing numbers.
- This information can be used to pivot towards online account takeover, identity theft, and complex social engineering attacks by providing multiple pieces of sensitive information to verify identity on online services.
- The threat actors are also able to directly steal money from the victim’s bank account via the stolen account and routing numbers.
- This cryptocurrency scam urges the user to wait three months before they can withdraw their purported tax refund benefit, while claiming that active participation in the tax refund initiative requires weekly Bitcoin deposits into the platform. This allows the threat actors to continuously steal money from the victim for potentially weeks on end.
Campaign Overview
While the email and initial credential phishing page for this campaign were highlighted in detail during the prior report From Tax Refund to Total Compromise: IRS-Themed Phishing Email Drives Full-Stack Financial Fraud, this section will provide a summary of the overall campaign leading up to the cryptocurrency market scam website.
Campaign Email
This campaign uses emails that spoof the IRS and Elon Musk to deliver an embedded link to a credential phishing site that claims to provide a $5,000 tax refund. Figure 1 shows how the email uses IRS branding assets and the sender name “Internal Revenue Service(IRS)” to send a deceptive email lure that claims to provide a “tax refund from the IRS, courtesy of Elon Musk”. Notably, the emails also provide a real IRS phone number and links to official IRS social media pages at the bottom of the email body to seem legitimate.
Figure 1: The campaign email purporting to provide a $5,000 tax refund.
Credential Phishing Site
Figure 2: The credential phishing site from the email’s embedded link.
Continuing from the IRS and Elon Musk-spoofing lure in the email, the credential phishing site uses IRS brand assets and pictures of Elon Musk to seem legitimate. The main message of the credential phishing page, which details the $5,000 tax benefit, is shown in Figure 3. Potential victims of this credential phishing page are lured into joining the “ElonMusk Dogecoin Initiative,” where participants are asked to purchase Bitcoins using money provided by a cryptocurrency marketplace. Participants would purportedly be given $10,000 on a weekly basis to use to purchase Bitcoins, and the participants would send back $9,500 worth of Bitcoins to the marketplace, keeping $500 for themselves. As part of the initiative, participants are invited to receive a $5,000 initial benefit after registration, which requires filling out the credential phishing form shown in Figure 4.
Figure 3: The credential phishing page’s explanation of the purported tax benefit and “ElonMusk Dogecoin Initiative”.
Figure 4: The credential phishing form which is required to access the “ElonMusk Dogecoin Initiative” website.
Any included information within the credential phishing form is exfiltrated to a Telegram bot controlled by the threat actor. The following is an example of the Telegram message sent to the Telegram bot when submitting this form.
After filling out the form, the victim is redirected to the page shown in Figure 5 that details how to sign up for the “ElonMusk Dogecoin Initiative” marketplace and redeem the $5,000 tax benefit. The full instructions for registration are shown in Figure 6.
.png?language=en "Elon_Musk_the_IRS_and_Your_Bank_Account_Figure5 (1)")
Figure 5: After submitting the credential phishing form, victims are redirected to a page that provides further instructions on how to access the “ElonMusk Dogecoin Initiative” cryptocurrency scam website.
Figure 6: Provided instructions on how to access the “ElonMusk Dogecoin Initiative”. Note how the cryptocurrency marketplace solicits additional personal information by asking for a valid photo ID and banking information.
“ElonMusk Dogecoin Initiative” Cryptocurrency Scam Website
While the prior credential phishing page is already more complex than most simple credential phishing sites found in most email campaigns, this additional “ElonMusk Dogecoin Initiative” site features multiple different avenues for the threat actors to pivot from initial credential phishing. By building a potential victim’s trust from the initial email and the prior credential phishing site, the threat actors attempt to target the victim’s identity and banking information. While the majority of the site is intended to build up additional trust to lead up to identity theft, there are also many parts that victims should be immediately suspicious of.
Platform Homepage Dashboard
Accessing the “ElonMusk Dogecoin Initiative” requires creating a new account on the platform, which also provides the threat actors with credentials to use for credential stuffing attacks on other services. Upon logging into the website, victims are greeted with a seemingly legitimate cryptocurrency marketplace shown in Figure 7 that seems to feature price tickers, user activity, and a “Redeem Voucher” menu intended to retrieve the $5,000 tax benefit.
Figure 7: The “ElonMusk Dogecoin Initiative” dashboard. Note how this site continues to use Elon Musk images but no longer uses any IRS branded assets.
Notably, the “Live Platform Activity” section is entirely fake and is hardcoded to display pre-set messages that are displayed to make victims believe that the platform has users. Figure 8 highlights how certain messages get repeated in the display.
Figure 8: The threat actors populate the “Live Platform Activity” board with fake user activity that is displayed from a hardcoded list of messages.
Voucher Redemption
Following the instructions from the credential phishing page, victims are instructed to go to the “Redeem Voucher” page and enter the code “ELON” for their $5,000 tax benefit. This redemption adds the funds to the victim’s account on the platform, which will then be used for trading on the platform or for withdrawal after adding bank information for a direct deposit.
Figure 9: The voucher redemption form using code “ELON”.
Figure 10: After redeeming the voucher, the balance on the platform is updated with a $5,000 deposit.
Unlike coupon systems on most legitimate sites, this voucher is seemingly able to be used multiple times, granting the user a $5,000 deposit every time. Because this is not a real marketplace, this is inconsequential, though a victim should find behavior like this suspicious if they were to try using the same code repeatedly.
Figure 11: The same voucher code can be redeemed multiple times on the platform.
Notably, this redemption system also prompts the user with the example code “CRYPTO5000” which is also a valid code for $5,000.
Figure 12: The sample code “CRYPTO5000” is also a valid voucher code.
Withdrawing Funds
After receiving their tax benefit deposit, the victim can attempt to withdraw funds via a direct deposit. However, the victim is also informed that withdrawing requires being active on the platform for three months, potentially giving the threat actors several weeks of cryptocurrency payments as part of this initiative’s instructions. While it is unlikely that the threat actors actually intended to send victims the purported $10,000 payments to send back in Bitcoins, the threat actors could have used this three-month dwell period to keep a victim involved within the scam for weeks.
Figure 13: The platform requires active participation for three months before allowing any withdrawals.
While waiting to fulfill the three-month requirement, a victim can provide identity verification and banking information to join the “withdrawal queue”. Specifically, the platform asks for a photo of a government-issued photo ID or driver’s license along with a bank account number and routing number for a direct deposit. This information is not necessarily abnormal for real banking institutions to request, allowing the threat actors to seem more convincing when attempting to steal this kind of PII from the victim.
Figure 14: Victims are asked to upload a photo ID as a part of the withdrawal process.
Figure 15: Victims are also asked for banking information used for direct deposit withdrawals.
After submitting the requested information, the victim’s withdrawal request is marked pending.
Figure 16: After submitting all the requested PII, the withdrawal is added to the queue.
Using the banking information and PII, the threat actors would be capable of much more sophisticated identity theft and social engineering attacks beyond the information exfiltrated from the credential phishing form in Figure 4. The threat actors would also be able to steal money directly from the victim’s bank account due to having access to the account and routing numbers.
While the information stolen in the initial credential phishing site that led up to this marketplace site provides the threat actors with sufficient information for social engineering attacks and potentially account takeovers via password recovery questions, stealing a photo ID and banking information allows the threat actors to pivot to more complex identity theft attempts. Additionally, having access to a victim’s bank account number and routing numbers allows the threat actors to potentially bill and automatically debit funds from the victim’s bank account. While it is unclear whether any victims had money stolen this way, or if any funds were ever actually given from the threat actors to victims for the explicit intent of purchasing cryptocurrency, stolen withdrawals may have been one way of turning this campaign into more than just a complex credential phishing site. Although this campaign was likely more expensive to develop than most, it would only take a small number of victims adding their banking details for the threat actors to make a significant profit.
Bitcoin Deposits
The Bitcoin deposit page features a QR code for a Bitcoin address and the same address in plaintext. Presumably, these would have been used to deliver the $9,500 Bitcoin deposits that the victim would be instructed to send on a weekly basis. However, at the time of this report, the included Bitcoin address still has not had any activity on it. This suggests that the threat actors likely never intended to send any funds to victims for the sake of having victims purchase Bitcoins. While the threat actors may have used this tactic in order to launder money, it appears that the threat actors were likely always intending this campaign to be focused on credential phishing.
Figure 17: The threat actor’s Bitcoin address is included on the Bitcoin deposit page and the unredacted QR code allows for easy scanning.
Customer Support Chat
Like some other complex credential phishing campaigns, this one features a chat system that appears to be staffed by the threat actors. Figures 18 through 20 feature conversations with the threat actors on the platform. Notably, these replies from the threat actors were received within minutes of sending the initial message, suggesting that threat actors were actively monitoring the chat system. The chat was potentially staffed by multiple different individuals or a combination of automated chat systems and real people due to inconsistent writing styles. Additionally, the threat actors appeared to have tools to analyze individual account activity on the platform and would review this activity when messages were sent.
Figure 18: When opening the support chat, a default message is automatically sent to greet the user.
Figure 19: The threat actors were responsive on the chat platform and responded within minutes.
Figure 20: Upon reviewing the account used to explore this platform’s infrastructure, the threat actors were able to note how the account uploaded incorrect information and claimed multiple vouchers.
Shortly after these communications, the account was banned from the platform, though a new account could still be registered.
Figure 21: Like in many scams, the threat actors prefer to avoid interacting with non-ideal, non-compliant victims.
Conclusions
Like many other credential phishing campaigns, this campaign relies on building false trust with the victim. The initial email attempts to lure in potential victims with a financial incentive backed by a government agency. The embedded link leads to a credential phishing page that contains a lengthy speech purporting to be from Elon Musk, which is used to establish further trust with a potential victim. The cryptocurrency market scam is intricate enough to reasonably be seen as a legitimate trading platform at a glance, though investigating certain specific details or the website’s source code reveals otherwise. Because many government and financial sites require sensitive information from the user, a potential victim may find it plausible that they would need to upload information such as their bank account details or photo ID. These deliberate steps from the threat actor to deceive a potential victim are what make this campaign particularly notable.
To quantify this campaign’s full potential impact, the threat actors could potentially steal the following pieces of PII, assuming a potential victim provides as much information as possible.
- Full name
- Mailing address
- Phone number
- Email address
- Age
- Driver’s license or passport ID number and photo scan
- Occupation
- Employer name
- Bank account name, routing number, and account number
- Password for the cryptocurrency market scam website
Unfortunately, with the extensive amount of PII stolen from this campaign, the threat actors would be easily able to pivot towards further attacks such as account takeovers via credential resets, sophisticated social engineering attacks that require personal information, or full-blown identity theft and financial fraud. Information such as bank account name, employer name, and email address can be used to enumerate potential online accounts to be targeted for credential resets. The password entered on the cryptocurrency market scam site can be used for credential stuffing in the hopes that the potential victim reused the password on other sites. Detailed information such as mailing address, phone number, and government-issued photo ID, could be used to socially engineer customer support helpdesks for online services in order to have a credential reset. At worst, the threat actors could even use the photo ID to attempt identity theft and use the bank account information to send ACH transactions to the victim’s bank account, potentially letting the threat actors steal money from the victim directly.