Over the past few days many Bitcoin owners have reported to BitcoinTalk that they have received suspicious emails designed to steal some of their Bitcoins. Security investigators have analyzed the attack and give us more details.
According to LogRythm, the attack begins with an email message that has the subject of "Wallet Backup." The message says:
“Hi David
I did exactly what you told me to do, but the problem remains: the introduction of the private key does not work and it's crazy!
Last time I looked blockchain.info still had 30.28020001 BTC in my account. But the bitcoinqt client doesn't load the key so I can't access my BTCs.
Thanks for your help. I am sending you the wallet.dat with my password [abbreviated address URL]. If you need anything else let me know. If you can finally enter the key, send me the BTC to the account: 1DxFvJ6up9jXAZ9pkUmWVdiMTWvsjgB5Ea
You will help a lot. Thanks David! ”
The link leads to a website set up to "serve" one archive named “Backup.zip.” The file contains several other files, but only two of them are visible: Password.txt.lnk and wallet.dat.
When the link file is running, it appears that a txt file is opened that contains a password. However, a malicious executable file has started running in the background.
The malware it waits for its victim to open their Bitcoin wallet using the software Bitcoin-Qt. While victims believe that they will "get their hands on" 30 BTC, they will in fact empty their wallets.
Η LogRythm has found that the abbreviated URL has been run by at least 1.674 people. Most of the victims of this attack are in the United States.
For more technical details about the attack and malware used by attackers, see the blog of LogRythm.