Hackers Phishing Leakers: A New BitCoin Phishing Social Technique.



Recently I’m playing with a simple pastebin bot, basicaly it’s a crawler for the pastebin.com website that applies a few regular expressions to new pastes and saves interesting ones. Services like this are all around the internet, one example is the leakedin website where you can find potential data leaks almost in real time and it’s not new that hackers are already crawling for this kind of contents waiting for dumps, leaks or any sort of interesting data to use for malicious purposes.

While collecting data with my bot, I found something which is very interesting and potentially a whole new phishing/social technique that I never saw before.

Someone is periodically posting contents like the following on pastebin.com ( sample taken from here ):

JIHAD ACHMED presents to you
With a dump of beta accounts from
thebitcoinshop.pixub.com

Claimed to be "Secure Cold Storage" Lets see how
"Secure" they are now when all 50 of their Beta
Accounts get leaked!


password / email

... REDACTED USER / PASSWORD LIST ...

About Bitcoin-Value Storage

Firstly, we want to appologize for the website being cookie cutter. But we belive that Service comes
BEFORE Looks!
Bitcoin-Value Storage started when we realized that people could trace how much came to the addresses
we were using. When we wanted to have long term cold storage we realized that anyone who was tracking
our addresses would realize exactly how much we were putting into cold storage.
To resolve this we decided to create Bitcoin-Value Storage. Enabling secure semi cold storage through
constant washing of bitcoins through multiple wallets, and servers.
When coins are in our storage they are never sent to the same address twice. They are shuffled through
multiple servers.
Our servers come online a few times a week to keep their blockchain up to date and process any
transactions that are required. Only wallets that have pending withdrawls come online durring this time
to be updated. Otherwise the washing occurs randomly from your wallet on one server, to your wallet
on another server.

The redacted part is a space separated usernames and passwords list of alleged beta accounts to the “thebitcoinshop” website which is apparently a BitCoin trading platform.

login page

You might think “wow cool, let’s log in into those accounts and get all the BTC they have!!!” ….. yeah, sure ….

Once you’ve logged in with one of these accounts ( btw they all seem to be filled with 10 to 30 BTC each ), you will be able to send BTC to a given address.

send page

Guess what? Whatever you type inside the address field it will be accepted by the system :)
Then, you will be redirected to the following page …

fishy phishing

Don’t you see something fishy? This is a fake login, this page will steal your credentials of the legit blockchain.info website and then it will redirect you there.

Summarizing

Someone is periodically posting contents to pastebin.com trying to trigger pastebots with specific keywords, these contents will lure the bot owner to enter his blockchain.info credentials into a phishing page.

Hackers phishing leakers … isn’t it funny? :D