Credential Phishing Attack Exploits Confusion Around Bittrex Bankruptcy Proceedings to Steal Credentials
This credential phishing attack features an impersonation of the cryptocurrency exchange Bittrex. Following accusations from the U.S. Securities and Exchange Commission that it was operating as an unregistered securities exchange, Bittrex entered into bankruptcy proceedings with help from Omni Agent Solutions, a case administration service provider. On June 15, Bittrex announced via email that customers could now remove any remaining funds but must do so by August 31. On October 23, nearly two months after the withdrawal deadline, Bittrex’s former customers received an email claiming they still had assets on the exchange that were eligible to be withdrawn. The email states that if the funds are not removed from the platform before the withdrawal period ends on October 25, all assets will be forfeited. Several steps are outlined to claim the remaining balance, and a link purportedly to the Bittrex portal is provided for the target to begin the withdrawal process. The attack aims to steal login credentials, banking details, or other sensitive information once the target clicks the phishing link, which is masked using a URL shortener.
The attacker uses a legitimate sender email address, ensuring the email passes SPF, DKIM, and DMARC authentication. To seem more authentic, they employ a sender name of “Omni Agent Solutions,” the company helping with the bankruptcy, and incorporate the branding and actual footer from emails sent by the impersonated company.
Older, legacy email security tools struggle to accurately identify this attack because it contains no attachments, uses social engineering, and features an unknown sender. Modern AI-powered security tools analyze the content and links while detecting the unknown sender to flag this email correctly as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Lack of Attachments: This email does not contain any attachments. Many traditional security tools focus on scanning attachments for known malware signatures. Since this email has no attachments, it would not trigger these security checks.
- Social Engineering: The email uses social engineering techniques to create a sense of urgency and convince the recipient to take action. Traditional security tools are not very effective at detecting this type of threat.
- Unknown Sender: The email comes from an unknown email and domain that the target has never received emails from in the past. Legacy security tools might be unable to track and analyze the reputation of unknown senders over time.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Link Analysis: Abnormal analyzes the links included in the email. In this case, the body of the email contains a link that the system flagged as suspicious.
- Content Analysis: Abnormal analyzes the language used in the email. The language used in this email, such as the urgent tone and the request for action, is typical of phishing attacks.
- Unknown Sender: The email is from an unknown sender to whom the company has never sent emails in the past. Abnormal flags this as suspicious, as it's unusual for a company to receive emails from completely unknown senders.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.