14 DAY TRIAL // Over the past days, many users have reported on BitcoinTalk that they’ve received suspicious emails that are designed to somehow steal their Bitcoins. Security researchers have analyzed the attack and they provide more details.
According to LogRythm, the attack starts with an email that carries the subject line “Wallet Backup.” The emails read something like this:
“Hello David…
I just did what you advised me to do but the problem remains the same: importing the private key is not working…. drives me nuts!
Last time I checked blockchain.info there was still 30.28020001 BTC ! But no way my bitcoinqt client loads the key so I am stuck with those BTCs.
Thanks for offering your help with this. Here is my wallet.dat with the password [shortened URL]. If you need anything else let me know. If you can load the key please send the BTCs to 1DxFvJ6up9jXAZ9pkUmWVdiMTWvsjgB5Ea
This would help me so much. Thanks David!”
The link points to a website that’s set up to serve an archive named “backup.zip.” The file contains a number of elements, but only two of them are visible: Password.txt.lnk and wallet.dat.
When the link file is executed, a Notepad document containing what appears to be a password is opened. In the meantime, a malicious executable is launched in the background.
The malware waits for the victim to open his/her Bitcoin wallet using the Bitcoin-Qt software. While victims think that they’re getting 30 BTC, in reality, their own wallets are being emptied.
LogRythm has determined that the shortened URL has been clicked by at least 1,674 people. Most of the victims of this attack are located in the United States.
For additional technical details on this attack and the malware, check out the company’s blog.