Investing in Bitcoin? You're not alone. Tons of people are. Hackers have noticed and are leveraging it to start attacking end-users. 

This malicious email, which was missed by ATP but stopped by Avanan, looks like it to come from PayPal, but it’s actually from a malicious .xyz domain.

It looks like this:


The objective of this attack is to get the victim worried that someone hacked their account and made an unauthorized Bitcoin purchase. The victim is then expected to call the provided support phone number or email the fake support email. Once the victim calls the number, they are presented with a foreign call center that the attackers are using to further exploit the victim.

The attacker obfuscated this attack by sending the keywords PayPal and Bitcoin in non-ASCII characters to fool traditional email security products. The attacker also encoded pictures in this email would cause normal API security vendors to skip checking this file because the decoding process is too resource intensive. Finally, this attack email had missing/invalid DKIM and DMARC signatures.

Subscribe to Our Attack Briefs for More Research