Notes on a Phishing Attempt

When going through email earlier, noticed this message from Ian Allison of the International Business Times — it appeared to have been Bcc’d to at least a portion of his contact list/address book. Ian has dedicated a great deal of time writing about the bitcoin, blockchain and cryptocurrency spaces (thanks Ian!) and as a result, often reaches out to the people and companies he is writing about for additional commentary.

In the past, when Ian reaches out he usually provides context with regard to the inquiry. For example, he may mention the topic he’s writing about, and specifically, what he’s looking to get commentary or feedback on. In this case, there was none of that, just a notification that a document had been shared, with an odd file name: EXP_02/07/2017.pdf.

DKIM and SPF records checked out

Despite the strange air to the email, it actually did look like it was from Ian. For example, his email address was correct, as was his phone number and fax number at IBT. Even the DKIM and SPF records were legit:

Additional scrutiny of the email, however, revealed that there were more odd characteristics to this purported message. For example, analyzing the email in its raw format showed that the OPEN link to the shared document wasn’t linked to Google at all, but rather to Bit.ly, a URL redirector, a big red flag:

Ian Allison has shared the following PDF:


EXP_02/07/2017.pdf <http://bit.ly/REDACTED_FOR_SECURITY_PURPOSES>


Open <http://bit.ly/REDACTED_FOR_SECURITY_PURPOSES>

Blocked by Google

Sending a note to Ian about this also turned up something strange:

All messages being sent to Ian’s email address were being rejected. At this point it was clear there was definitely a problem.

Confirmed on Twitter

The final nail in the coffin was a tweet from Ian himself:

The Bitcoin space is being targeted

Bitcoin companies and members of the community see lots of dirty stuff, like people getting impersonated and attachments with malware:

• https://blog.coinbase.com/on-phone-numbers-and-identity-423db8577e58#.ow4544g00
• http://motherboard.vice.com/read/how-a-clever-hacker-tricked-a-major-bitcoin-company-out-of-18-million
• http://www.coindesk.com/unconfirmed-report-5-million-bitstamp-bitcoin-exchange/

It’s important to reminder ourselves to always be cautious about people reaching out via email, social media profiles, instant messengers, etc. Especially if an attachment is being sent or information is being confirmed and/or requested (like a phone number or address). Also, if a urgent/sensitive request comes via an odd communication channel (like via email, instead of via phone) — additionally, if the message itself looks strange.

Many bank robbers don’t use guns — they use computers

As bitcoin continues to gain traction and revenue, nefarious people will try more sinister and elaborate things to attempt to steal from you, your friends/colleagues and other acquaintances in the community.

Keep your eyes peeled for stuff that doesn’t look right and say something if you see it!

Thanks to Ian Allison for his work writing about the bitcoin, blockchain and cryptocurrency space, and also for speaking up on Twitter to let every one know that there was an issue with his email.