Phishing victim loses $60,000 in Bitcoin scam

In June, the US Marshals Service made a mistake. In an attempt to email information to potential bidders, as the agency was planning to auction off 30,000 Bitcoins seized during the takedown of Silk Road, a list of those interested in the auction was leaked to the public.

The story wasn’t all that spectacular, more of an interesting note of how not to email information of a somewhat sensitive nature (those taking part in the auction were supposed to remain unknown to each other and the public), but that’s about it. However, weeks later, the story has taken a troublesome twist.

The individuals who found themselves on the leaked list from the US Marshals Service were targeted in a Phishing scam. According to the Wall Street Journal, which published the one of the Phishing emails, the victims were asked to take part in an interview.

The person(s) behind the Phishing attempt claimed to be working with BitFilm Productions, a legitimate firm operating out of Germany. The victim was asked to take part in an interview, and review a list of questions should they be interested.

“Anybody who responded was then sent another email, with what appeared to be a Google Doc list of questions. But clicking on the attachment unleashed a malicious attack that seized access to the user’s email account and passwords,” the WSJ article explained.

The full scope of the attack itself is a bit above normal, but it aligns perfectly with a scaled targeted attack.

Once the victim clicked the link inside the email, they were presented with a fake login for their Google account. This trick has been used frequently this year, and has proven to be useful for criminals looking to collect authentication details.

Of all the intended victims, only a single person fell for the scam. The result was a loss of 100 BTC, or $63,396 USD. The victim was a Melbourne-based, Bitcoin arbitrage fund called Bitcoins Reserve.

Sam Lee, co-founder of the fund, clicked the link and entered his Google details as requested. Once the person(s) behind the attack obtained the credentials, they were able to complete a password challenge, which gave them access to all the plaintext passwords stored in Lee’s browser (Chrome).

The extended access led the attacker(s) to the domain registrar used by Bitcoins Reserve, where a DNS record was added to the domain; part of the process needed to allow Google to confirm ownership over the company’s Google Apps account.

Once Google confirmed ownership, the Apps account was accessed, and Lee’s email account was used to message the company’s CTO in order to request a 100 BTC transfer to a specific Bitcoin address.

According to Lee, in an interview with Startup Smart, the CTO asked for a phone call to confirm the request. The attacker(s) agreed, but pushed the call off until later in the day, as “Lee” was busy.

The CTO called the CFO, who “mistakenly thought they were fulfilling an internal client withdrawal request.”

As it turns out, Lee really was busy that morning, so the attacker(s) claims were credible, because no one could reach him by phone.

“Is it the US Marshals’ fault that the attack occurred? Absolutely! Is it their fault that we lost some Bitcoins? No. “Bitcoin is still in its infancy, and the untraceable nature of it attracts very high profile hackers to jump on board and try to add to their incomes,” Lee said in an interview with Startup Smart.

“But people losing Bitcoins could only because of their own lack of security procedures. I’m glad it’s happened sooner rather than later, as it’s made us aware of our vulnerabilities.”

“Bitcoin in general is such a new industry, things are happening at a lightening pace,” Lee added.

“Security gets left on the wayside and we leave our doors open to such social engineering, because these things happen so quickly.”

After the funds were transferred, the attackers attempted to blackmail Lee for an additional 200 BTC, threatening to release his emails from over the last seven years if he didn’t pay.

On July 1, the US Marshals Service announced that a single bidder had won the auction, but didn’t release any additional details on the winner’s identity or their winning bid.