The ASEC analysis team has confirmed that a scam mail with the purpose of stealing Bitcoins is being distributed in Korea. The mail contains information about depositing Bitcoins. When users click the malicious URL in the mail, they are redirected to a scam website.
As seen below, the scam mail is distributed with the title ‘Bitcoin Payment’ and the sender disguising as Admin Support. Inside the mail is a message saying 25 BTC ($1,184,081.00 USD) was deposited in the portfolio management website (www.fortcoin[.]net/signin) as requested. The message also contains the registered customer ID and password.
The scam website (www.fortcoin[.]net) is disguised as a Bitcoin portfolio management service and supposedly providing services for each portfolio including wallet management, deposit & withdrawal, and interest acquisition.
Upon accessing the website (www.fortcoin[.]net/signin) displayed on the mail, the user can see the login page shown below.
When the user logs in by entering the ID and password provided, the website shows a message saying that the user needs to change the password and receive OTP for security reasons.
If the user changed the password, upon future logins, the user can continue from the previous session with the same ID and the changed password as if they were assigned an exclusive account from the verification server. It appears that the reason for using such a verification system is to easily identify a certain group using the same customer ID. (* Each guest ID has a different amount of Bitcoin deposited in the portfolio.)
Afterward, the website requires the user to enter the cellphone number to receive OTP. If you select the SMS method, the following code will be sent as a text message.
If a contact number was used for the verification even just once, the message saying ‘cannot communicate with this contact number’ is sent. It appears that the attacker identifies users through the SMS message verification method.
If you enter the OTP code that was sent to the mobile phone, the message saying the ‘account is protected and future communication will be carried out via messaging’ is shown.
1. First Hole – Portfolio Creation Page
The first hole created by the attacker is the portfolio creation page. It prompts the user to create an account and deposit Bitcoin on the ground of being able to deposit any amount of Bitcoin every 3, 6, or 12 months and the website providing interests based on the duration.
* savePro is a feature that limits the minimum withdrawal amount of the portfolio.
– 3% interest rate for depositing for 3 months
– 10% interest rate for depositing for 6 months
– 25% interest rate for depositing for 12 months
On the deposit page, the minimum deposit amount is 0.0005 BTC. When the user selects the created portfolio, enters 0.0005 BTC or more, and clicks the Deposit Now button, a new Bitcoin wallet address is created each time as seen below.
The customer can actually check the address in Bitcoin Blockchain Explorer. The private key of the created wallet is presumably owned by the attacker, which is likely used to steal the deposited Bitcoin.
2. Second Hole – Premade Fake Portfolio
For the customer ID that was used to log in, there is Portfolio 2 created with 25 BTC for a 12-month deposit. The user can check the artificially managed portfolio history on the website’s transaction page.
The second hole created by the attacker is the fake Portfolio 2 that had been made in advance. If the user attempts to withdraw 25 BTC, a message saying that ‘the initial withdrawal amount is 0.0001 BTC and you can withdraw the rest after the first withdrawal is complete’ appears.
When the user enters the private Bitcoin wallet address that will be deposited with the amount and withdraws 0.0001 BTC, usually within a day, the attacker deposits 0.0001 BTC from the wallet assumed to be the attacker’s (bc1qt80xra3r2df8gvzr0pu 8vce98ltk6zxlr3fx9z).
(* However, the user can no longer withdraw with the phone number that was used before.)
If the user attempts to withdraw the remaining amount (24.9999 BTC), a message appears saying that the minimum withdrawal amount was changed to 25.006 BTC due to savePro being enabled, prompting you to deposit 0.0061 BTC to meet the requirement. This amount is 60+ times higher than the amount the attacker paid in advance (0.0001 BTC).
As seen above, the attacker is employing a devious method of paying a small amount in advance to deceive users and receive much more in return. Users must take caution not to click attached files or URLs included in the mail when they check mails with unknown sources.
[Relevant IOC Info]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.