Threat Actor Exploits BlockFi Shutdown to Steal User Credentials in Likely AI-Generated Phishing Attack
In this likely AI-generated phishing attack, cybercriminals impersonate BlockFi, a now-defunct cryptocurrency exchange that shuttered on May 31, 2024. Using a spoofed email address, the attacker falsely claims that BlockFi is allowing former users to access and withdraw their remaining balances. The message, which features impersonated BlockFi branding, instructs the recipient to use the provided link to “ensure [their] wallet is correctly set up to receive these transactions”. However, should the target click on the button labeled “Access Now”, they will be redirected to a phishing site designed to steal sensitive information and potentially compromise cryptocurrency holdings. By mimicking official BlockFi communications and leveraging the urgency surrounding fund withdrawals, the attacker seeks to deceive recipients into handing over valuable financial information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed address, uses legitimate links in the message, and contains no attachments. Modern AI-powered email security solutions recognize that the sender is unknown to the recipient, detect links to suspicious domains, and flag the mismatch between the sender’s name and domain name to correctly identify the email as an attack.
To stay protected, users should verify any notifications related to digital assets directly through official channels and avoid clicking on links in unsolicited emails. Organizations and individuals should also prioritize security awareness training and implement advanced email security tools to mitigate the risks posed by increasingly sophisticated phishing scams.
Malicious email posing as notification from now-defunct cryptocurrency exchange
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to its legitimate structure.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.