Scam Mail Prompting Bitcoin Deposit Being Distributed

The ASEC analysis team has confirmed that a scam mail with the purpose of stealing Bitcoins is being distributed in Korea. The mail contains information about depositing Bitcoins. When users click the malicious URL in the mail, they are redirected to a scam website. 

As seen below, the scam mail is distributed with the title ‘Bitcoin Payment’ and the sender disguising as Admin Support. Inside the mail is a message saying 25 BTC ($1,184,081.00 USD) was deposited in the portfolio management website (www.fortcoin[.]net/signin) as requested. The message also contains the registered customer ID and password.

Figure 1. Phishing mail details

The scam website (www.fortcoin[.]net) is disguised as a Bitcoin portfolio management service and supposedly providing services for each portfolio including wallet management, deposit & withdrawal, and interest acquisition.

Figure 2. Provided services
Figure 3. Website characteristics

Upon accessing the website (www.fortcoin[.]net/signin) displayed on the mail, the user can see the login page shown below.

Figure 4. Login Page

When the user logs in by entering the ID and password provided, the website shows a message saying that the user needs to change the password and receive OTP for security reasons.

Figure 5. Message requesting to change password and receive OTP
Figure 6. Webpage for changing password

If the user changed the password, upon future logins, the user can continue from the previous session with the same ID and the changed password as if they were assigned an exclusive account from the verification server. It appears that the reason for using such a verification system is to easily identify a certain group using the same customer ID. (* Each guest ID has a different amount of Bitcoin deposited in the portfolio.)

Afterward, the website requires the user to enter the cellphone number to receive OTP. If you select the SMS method, the following code will be sent as a text message.

Figure 7. OTP registration page
Figure 8. OTP verification code received

If a contact number was used for the verification even just once, the message saying ‘cannot communicate with this contact number’ is sent. It appears that the attacker identifies users through the SMS message verification method.

Figure 9. Communication error message for number that was already used

If you enter the OTP code that was sent to the mobile phone, the message saying the ‘account is protected and future communication will be carried out via messaging’ is shown.

Figure 10. Message saying account protection is complete

1. First Hole – Portfolio Creation Page

The first hole created by the attacker is the portfolio creation page. It prompts the user to create an account and deposit Bitcoin on the ground of being able to deposit any amount of Bitcoin every 3, 6, or 12 months and the website providing interests based on the duration.  

* savePro is a feature that limits the minimum withdrawal amount of the portfolio.  

– 3% interest rate for depositing for 3 months

– 10% interest rate for depositing for 6 months

– 25% interest rate for depositing for 12 months

Figure 11. Portfolio creation page

On the deposit page, the minimum deposit amount is 0.0005 BTC. When the user selects the created portfolio, enters 0.0005 BTC or more, and clicks the Deposit Now button, a new Bitcoin wallet address is created each time as seen below.

Figure 12. Deposit page-1
Figure 13. Deposit page-2

The customer can actually check the address in Bitcoin Blockchain Explorer. The private key of the created wallet is presumably owned by the attacker, which is likely used to steal the deposited Bitcoin.

Figure 14. Bitcoin address found in Blockchain Explorer

2. Second Hole – Premade Fake Portfolio

For the customer ID that was used to log in, there is Portfolio 2 created with 25 BTC for a 12-month deposit. The user can check the artificially managed portfolio history on the website’s transaction page.

Figure 15. Fake Portfolio 2
Figure 16. Artificial Portfolio 2 history

The second hole created by the attacker is the fake Portfolio 2 that had been made in advance. If the user attempts to withdraw 25 BTC, a message saying that ‘the initial withdrawal amount is 0.0001 BTC and you can withdraw the rest after the first withdrawal is complete’ appears.

Figure 17. Fake Portfolio 2 withdrawal page

When the user enters the private Bitcoin wallet address that will be deposited with the amount and withdraws 0.0001 BTC, usually within a day, the attacker deposits 0.0001 BTC from the wallet assumed to be the attacker’s (bc1qt80xra3r2df8gvzr0pu 8vce98ltk6zxlr3fx9z).
(* However, the user can no longer withdraw with the phone number that was used before.)

Figure 18. 0.0001 BTC deposited as found in Blockchain Explorer

If the user attempts to withdraw the remaining amount (24.9999 BTC), a message appears saying that the minimum withdrawal amount was changed to 25.006 BTC due to savePro being enabled, prompting you to deposit 0.0061 BTC to meet the requirement. This amount is 60+ times higher than the amount the attacker paid in advance (0.0001 BTC).

Figure 19. Message limiting withdrawal-1
* Minimum withdrawal limit is 25.006 BTC
Figure 20. Message limiting withdrawal-2
* Attacker demanding deposit of 0.0061 BTC

As seen above, the attacker is employing a devious method of paying a small amount in advance to deceive users and receive much more in return. Users must take caution not to click attached files or URLs included in the mail when they check mails with unknown sources.

[Relevant IOC Info]
– hxxps://fortcoin[.]net/signin
– bc1qt80xra3r2df8gvzr0pu8vce98ltk6zxlr3fx9z

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, ,

5 3 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments