Bitcoin Scam Spoofing BBC News

Scam

A slightly different scam to report on this weekend. I received a message from a concerned party asking me to look at an email and link to see whether they might have been infected or compromised.
Their message reads

From: Roger:  sally@<redacted>.co.uk
Subject: Fake invoice link
Message Body:
From: Roger:  sally@<redacted>.co.uk
I was expecting an invoice from a roofing company. I got an email from them – no attachment but a button saying “Display message”.
Without thinking (!) I clicked on it and it opened a web page with a box saying “Enter password”. I didn’t do any more but I’m now left wondering whether my Mac (or PC on same network) has been infected. (Sophos doesn’t find anything though).
I’ve give the target URL for the email button below together with a .eml file for the email.
http://login.mobilesecure-mail.host/5c24d32e7205a21424913768?-Ormz3M=&zldKGsCL=IDA7zZe3zt8&-Ormz3M=#RANDOM_7#
redacted-email.eml

The email they received looks like this and will display nothing in Outlook. The source code in the box shows that the “Display Message ” button will be hidden for outlook users, but should display for anyone not using outlook.

scam email

The link behind the Display Message ” button or for me by finding the link in the source code is to http://login.mobilesecure-mail.host/5c24d32e7205a21424913768?-Ormz3M=&zldKGsCL=IDA7zZe3zt8&-Ormz3M= Which will redirect you to a fake BBC news site https://business-news.bbc-1.site/landers/bbc-business-news/#forward .

I didn’t see any login or password page, in the way described in the initial message. However it is possible that some IP ranges will get a phishing site involving a login or even malware delivered. But I think in this case that the recipient was using a Mac computer which does have different settings to windows. I frequently see complaints about Macs where redirects or some secure sites don’t work as expected. I think that has happened in this case & instead of being redirected several times on login.mobilesecure-mail.host, they have been directed to a login page thinking that it is the criminal trying to login & change something
The fake BBC site looks like

Fake BBC news Bitcoin scam site

And when you click on any link you get redirected to the bitcoin scam site https://thesecureoffer.com/bitcointraderc/ < loads of numbers and characters that are the affiliate code for the scumbag behind this scam >

Bitcoin scam site

The Fake BBC site is behind cloudflare who responded quickly as usual to my report & set up an immediate interstitial page warning of phishing or scam, so hopefully reducing the numbers of potential victims for this scam
In case the scam, spoofed BBC site gets taken down quickly ( hopefully) you can see the entire chain on https://app.any.run/tasks/f262988c-b86e-4fcf-8d07-17722c6f8a9c
IOC
https://thesecureoffer.com/bitcointraderc/
http://login.mobilesecure-mail.host/5c24d32e7205a21424913768?-Ormz3M=&zldKGsCL=IDA7zZe3zt8&-Ormz3M=
https://business-news.bbc-1.site/landers/bbc-business-news/#forward

Total
0
Shares
Leave a Reply

Your email address will not be published.

Related Posts