I  am seeing a bitcoin phishing scam campaign this morning hosted on Microsoft Azure/windows.net. The emails pretend to come from your own email address and are addressed to the same email address.

All hosting companies get abused and used for malware, scams and phishing. Recently Microsoft Azure Hosting seems to be the flavour of the month.

It is not helped by the fact that Microsoft make it overly complicated to report these scams, malware or phishing via the  https://portal.msrc.microsoft.com/en-us/engage/cars where you  have to give loads of details.  Using the very simple  report to Microsoft form on https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site is just about a waste of time, because there is no joined up thinking on Microsoft. Using this form will help to get the website detected & blocked in Windows Defender and other Microsoft security tools, but does nothing to get the offending websites taken down. I frequently see comments on Twitter and in private forums from analysts working for the various Microsoft Security teams that even they have problems getting these scam and malware sites taken down on Azure / Windows.net hosting.

Creating an Azure blob or website is an automatic procedure that happens almost instantly. Why can’t the removal also be automatic and very, very quick. If a site hosted by Microsoft is detected by Windows Defender  as malicious, then that site should automatically be removed from public access. The Microsoft Security Analyst or automatic procedure that adds the sites to Defender/ Smart Screen should also be able to instantly remove public access to the sites. The manual methods currently used where sites are reported and frequently take anything up to 10 days or even longer to be removed is totally unacceptable for an organisation the size of Microsoft.

While on one hand Microsoft has made massive improvements in security over recent years, especially with Windows 10, Windows Defender and Microsoft Security Intelligence, they still need to join everything up. It is almost like there are numerous different competing companies all using the Microsoft name and they don’t talk to each other.

Several other researchers have noticed an increase in phishing emails saying that you need to upload photo ID to Bank, Paypal, Bitcoin, in fact almost anything that can be phished. While there are some completely stupid, irresponsible  companies that insist on copies of photo ID, in general you should never need to upload any sort of documents or identity proof in response to an email.

You can now submit suspicious sites, emails and files via our Submissions system

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

The email looks like:

From: Bitcoin <recipient@victimsdomain.com>

Date: Tue 11/06/2019 02:29

Subject: Verify your identity recipient

Body content:

Verify your identity
To prevent identity theft or fraud, you’ll need a photo ID to make sure it’s really you.
You’re just a few minutes away from buying crypto.

Get verified

© Coinbase 2019
548 Market Street #23008
San Francisco, CA 94104, United States

Screenshot:

 

 

If you follow the link in the email  you see a webpage looking like this: https://mailbitcoinwallet.z13.web.core.windows.net/   complete with valid Microsoft SSL certificate.

If you enter a bitcoin wallet address and a password ( I used the wallet address from one of the numerous sextortion scams we see daily) then you get sent on to your email address and password

 

 

Then you get sent to the genuine blockchain.com website

We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

 

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

email headers:

IP	Hostname	City	Region	Country	Organisation
188.209.52.21	hosted-by.blazingfast.io			NL	AS49349 Dotsi, Unipessoal Lda.
127.0.0.1	Local IP

 

Received: from [188.209.52.21] (port=46124 helo=system5.localdomain)
	by my email server with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.92)
	(envelope-from <recipient@victimsdomain.com>)
	id 1haVbJ-0007P7-HY
	for recipient@victimsdomain.com; Tue, 11 Jun 2019 02:29:25 +0100
Received: from system5.localdomain (localhost [127.0.0.1])
	by system5.localdomain (8.14.4/8.14.4) with ESMTP id x5B1TPdW006671
	for <recipient@victimsdomain.com>; Tue, 11 Jun 2019 01:29:25 GMT
Received: (from root@localhost)
	by system5.localdomain (8.14.4/8.14.4/Submit) id x5B1TP8O006670;
	Tue, 11 Jun 2019 01:29:25 GMT
To: recipient@victimsdomain.com
Subject: Verify your identity recipient
X-PHP-Originating-Script: 0:mailer.php
Date: Tue, 11 Jun 2019 01:29:25 +0000
From: Bitcoin <recipient@victimsdomain.comk>
Message-ID: <bd0ef543c9c73e9a9e84146eb7a5afb5@system5.localdomain>
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit