Threat analysts have uncovered a sophisticated, two-pronged malware campaign targeting victims both inside and outside of the crypto industry.

In a recent report, cyber intelligence firm Silent Push identified the PoisonSeed malware campaign, which initially targets the users of bulk email providers including Mailchimp and SendGrid.

A fake Mailchimp page generated as part of the PoisonSeed malware campaign.
A fake Mailchimp page generated as part of the PoisonSeed malware campaign. Image: Silent Push

In one case, a content creator was sent a fraudulent message that claimed their account had been restricted—and they were duped into providing their login details through a bogus but "pixel-perfect" website.

A fake SendGrid page generated as part of the PoisonSeed malware campaign.
A fake SendGrid page generated as part of the PoisonSeed malware campaign. Image: Silent Push

From here, their mailing lists are downloaded en masse, in a process that Silent Push describes as "extremely quick and likely automated."

The next step sees unsuspecting subscribers sent emails purporting to be from crypto exchange Coinbase, which claim that the exchange is "transitioning to self-custodial wallets."

A 12-word seed phrase is provided, which the victims of the scam are told to import into their account—but doing so would give malicious actors the freedom to drain all of the crypto out of their walletwallet.

A phishing email purporting to be from Coinbase.
PoisonSeed victims are sent a phishing email purporting to be from Coinbase. Image: Silent Push

One of the Mailchimp customers affected, Microsoft regional director Troy Hunt, said he received the phishing email when he was "really jet lagged and really tired," leaving him vulnerable.

Although the penny dropped that something wasn't right immediately after he entered his login details—and he promptly changed his password—the mailing list had already been exported.

"Reading it again now, that's a very well-crafted phish," Hunt wrote. "It socially engineered me into believing I wouldn't be able to send out my newsletter so it triggered 'fear,' but it wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency without being over the top."

Smartphone malware. Image: Shutterstock

Hackers Preloading Counterfeit Android Phones With Crypto-Stealing Malware: Kaspersky

That cheap smartphone may look like a steal—and it could well be, but not in the way you were hoping. Cheap counterfeit phones are now being sold preloaded with malware that targets unsuspecting Android users—stealing cryptocurrency, replacing phone numbers during calls, and hijacking their social media accounts. Cybersecurity company Kaspersky reported the novel technique for spreading the dangerous Triada trojan in a recent analysis. Since its discovery in 2016, Triada has evolved into one of...

NewsTechnology
3 min read
Vismaya V

Silent Push said that it is treating PoisonSeed as being distinct from two "loosely aligned threat actors" called Scattered Spider and CryptoChameleon—despite the fact these campaigns use similar phishing domains, and have targeted Coinbase and Ledger users in the past.

It's a sobering illustration that it isn't just consumers who need to be vigilant in the face of social engineering scams, but also content creators with large audiences for their newsletters.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Decrypt Learn Courses Complete
View on Walrus
Decrypt Learn Courses Complete
View on Walrus