This is the first installment of a spam email series where I investigate what happens when you click on those links we security professionals keep telling you not to click on. I hope it provides some value to someone and keeps one less person from falling prey to these ever-prevalent schemes.
Like most of you, I logged into my email, which I have done many times over the years, and saw a strange email that caught my attention. The email purports that I had forgotten about $21,000 worth of Bitcoin (BTC) in an account, and I had 8 hours to withdraw, or the balance would be forfeited.
I do have some investment exposure to cryptocurrencies, including BTC. However, I knew from experience that this email was a scam, so I decided to investigate and use the results as a teaching tool. What follows is my journey to recover my forgotten Bitcoin.
DISCLAIMER: I have redacted some details to mitigate curiosities. You should never visit these sites, no matter how enticing or sincere they seem.
The screenshot below shows the spam email I received in late November 2022. The link uses the Google Apps Scripts service to bypass security controls that would generally consider google domains to be trusted. If you are not familiar with this last part, let me explain.
Organizations can generally choose one of two approaches to block user access to malicious sites. The traditional method is to create a blocklist sourced from a feed. However, the blocklist has scale and maintenance problems. The recommended method is an allowlist, which defaults to blocking everything unless explicitly allowed. This latter choice leads to including domains like Google that are trusted or not considered malicious.
So from the attacker’s perspective, when an unsuspecting user clicks on a link similar to the one below, it has a higher chance of bypassing both a blocklist and an allowlist.
I have a sandboxed environment I use when I want to research these shenanigans. The screenshot below is what I saw after clicking on the link in the email.
The image above is a flashing gif that eventually redirects me to the page below. Notice that the time is no longer 8 hours but has a 21-hour countdown and continues to warn about account deletion. The scam has three steps that need to be followed to receive the bitcoin:
- Login to the fictitious account
- Communicate with the account manager
- Request withdrawal
This is step one. If someone follows this farce, they won’t have actual credentials to log in. However, the scammers designed the webpage, so the username and password were already prefilled. Notice the nice touch where they have the Google login button at the bottom.
I went through this process a few times to test different interactions. The login and the Google button both take you to the page below. When you try to register, it will accept any credentials and automatically redirect you to the same page below. How about that for service availability! If you are wondering, the Google button does not use Google SSO.
Once I click the collect bitcoin bonuses button, the screenshot below is presented. Notice that they keep teasing the account balance.
The page above is likely doing some browser crypto mining while you wait for it to reach 100 percent. If I navigate away from the page, it stops loading, so they force the user to have the tab focused. While testing, it took about 5 to 10 minutes, and then I was redirected to a chatbot masquerading as a human.
This is the second stage of the scam that uses what appears to be chatbot technology to automate collecting information from potential victims. The title of the representative is Lead Manager Of The Payout Department, which is a fancy-sounding title! Remember that this is all manipulation to get victims to the endgame.
There was no text input box for me to communicate with Amelia; she just provided information that eventually ended with a request to fill out the form below. I suppose if there was an input box, it would minimize the chances of success and add complexity.
I filled out the form above with false information. We can assume the data is harvested from victims and can be leveraged for some future use cases. After the form is submitted, there is a small delay, and the manager continues with information and instructions.
The screenshot above is where the endgame starts to manifest. Most victims that get this far have likely heard about bitcoin but will be more interested in the fiat currency over cryptocurrency.
The manager provides information detailing how the conversion will happen and a reminder that the victim will receive a $21,000 payout after conversion. This part of the ploy is critical, as we will soon see in the following screenshots.
This is the third and what seems to be the final step, where they will try to extract funds from the victim.
Notice the urgency in the screenshot above. You will receive $21,000 after you pay a $64 conversion fee. As you are reading this, do you know anyone that would pay a 64-dollar fee for a 21 thousand dollar deposit?
The following screenshot appears when you click the “Exchange BTC for USD” button.
This part is interesting to me. To pay the fee, the victim must navigate the MoonPay registration and funding process to acquire roughly $64 worth of Bitcoin. I suspect this is where most victims exit if they lack the technical knowledge to continue. Let’s not forget the trust factor in the MoonPay website, which could also lead to exits.
The image below was presented when I clicked the “Pay” button. Various crypto wallets will allow you to pay by scanning the QR code, so these scammers have made it really convenient.
Notice that the image above has a countdown timer in the upper right-hand corner that indicates that the address is being monitored for payment. I never bothered to send “research” funds to the wallet, so the page eventually times out when the timer expires.
I’ve selected the “Copy” tab in the image below that reveals the text-based Bech32 Bitcoin wallet address. I did repeat this entire process, and a new address was generated each time.
I can only imagine that some victims will reason that learning to purchase and send some bitcoin is all that stands in the way of a payday. History has shown that money is a sufficient motivator for action. If you think this scam is obvious, remember that security hygiene varies across the population.
This last image is a screen grab from one of the many blockchain explorer websites that allow you to see wallet balance and transaction history. You can’t necessarily follow the money trail since they are generating new addresses.
If you had a spare $64 you wanted to donate, then as a security researcher, you could send payment to the wallet and it is pretty trivial to see when the funds get moved and to which address(es). However, I am going to assume the scammers employ some form of bitcoin washer since sending the funds to their real wallet would be poor tradecraft.
Thanks for reading.