The spam campaign came in two waves, and of the 12,000 messages detected by SaaS vendor Proofpoint, the overwhelming majority was directed to emails belonging to members of organizations in a variety of industries (education, finances, tech, media, etc.)
The attackers impersonated Blockchain, a popular Bitcoin wallet service, and claimed that someone located in China tried to access the recipient's wallet account.
The attacker used the correct password, but the access was blocked by the company due to its suspicious nature, the email claims, and the recipient is urged to reset their password.
Unfortunately, the "Reset password now" button embedded in the email leads to a spoofed Blockchain login page, and any login credentials entered in it and submitted went directly into the hands of the phishers. The victims were shown an error message to prevent them from becoming suspicious.
The crooks can then use the compromised credentials to empty the victims' wallet, and there is little to no chance they will ever get their money back.
The most interesting thing about this particular campaign is its unexpected success: 2.7% of recipients clicked on the link, which is much higher than the percentage of Bitcoin users in the general population. Obviously non-Bitcoin users were intrigued, as well.
"This simple but effective phishing campaign demonstrates that security professionals cannot afford to discount any phishing emails, even consumer-based messages that do not appear to be relevant to their end users, because effective lures attract clicks even from users who should have no reason to click, " Proofpoint experts noted.
"A more sophisticated, 'multi-variant' version of this campaign could have a much greater impact, enabling attackers to target clicking users with malware, Trojans, corporate credential phish, spam or other threats."