As the price of bitcoin rises and public interest in cryptocurrency grows, cybercriminals are taking advantage of the opportunities this creates for them to trick potential victims and increase the profits they can make from their attacks.
Barracuda researchers recently analyzed phishing impersonations and business email compromise attacks sent between October 2020 and May 2021 and found that the volume of cryptocurrency-related attacks closely follows the growing price of bitcoin. The price of bitcoin increased by almost 400% between October 2020 and April 2021, and impersonation attacks grew 192% in the same period of time.
Here’s a closer look at the ways that attackers are using cryptocurrency is spear phishing, business email compromise, and ransomware attacks, as well as solutions to help you detect, block, and recover from them.
Cryptocurrency in email threats — Cryptocurrency is a type of currency that is available only in a digital format. Because of the decentralized nature of cryptocurrency and lack of regulation, it has become the currency of choice for cybercriminals.
Until very recently you couldn’t use cryptocurrency in the real world to pay for day-to-day goods. However, as some companies started to announce that they will accept payments in bitcoin, it generated more interest in cryptocurrency and started to drive its value up. Fueled by the news frenzy surrounding bitcoin, its price increased by almost 400% between October 2020 and April 2021. Cyberattacks quickly followed with impersonation attacks growing 192% in the same period of time.
Hackers use bitcoin to get paid in extortion attacks, where hackers claim to have a compromising video or information that will be released to the public if the victim does not pay to keep it quiet. While this scheme has been around for some time, as the price of bitcoin climbed, cybercriminals started to come up with more sophisticated schemes to cash in on bitcoin-mania.
Over the past eight months we have seen number of phishing impersonations and business email compromise attacks related to cryptocurrency closely follow the increasing price of bitcoin. Hackers impersonated digital wallets and other cryptocurrency-related apps with fraudulent security alerts to steal log-in credentials. In the past, attackers impersonated financial institutions targeting your banking credentials. Today they are using the same tactics to steal valuable bitcoins.
Cybercriminals have also included bitcoin as part of their business email compromise attacks impersonating employees within an organization. They target and personalize these emails to get their victims to purchase bitcoin, donate them to fake charities, or even pay a fake vendor invoice using cryptocurrency.
We have also used Barracuda’s AI natural language processing capabilities to analyze the language used in cryptocurrency-related BEC attacks and determine key phrases and calls to action that hackers used to incite their victims. Similar to typical BEC attacks, cybercriminals will create a sense of urgency by using phrases like “urgent today” or before the “day runs” out. Their call to action is typically for their victim to go to the “nearest bitcoin machine.” They also play on their victims’ sentiments to request that a payment be made as a “charity donation,” making their victims believe they are doing a good thing.
Cryptocurrency and ransomware
Due to the rapid growth in the perceived value of bitcoin, ransomware attacks are more damaging than ever. Cryptocurrency seems to be a perfect currency for criminal activity — it’s unregulated, difficult to trace, and increasing in value. All of this provided criminals with additional motivation to attack.
Digital transformation accelerated significantly in the past year as well as more organizations and employees were forced to work remotely. As a result, more data is now created and stored in collaboration apps, and more information is exposed, creating more targets and potential value for criminals.
You don’t need to be a technical genius to launch a ransomware attack either. Ransomware-as-a-service — where you can hire a group to carry out an attack for you — is flourishing on the dark web. This makes ransomware more accessible to criminals, driving an increasing number of attacks.
The number of ransomware attacks has been increasing every year, but the ransom amounts hackers are asking for have been going up as well. In 2019 ransom demands ranged from a few thousand dollars to $2 million at the top end. By mid-2021 most demands were in the millions, with a significant number over $20 million.
While it can be difficult to speculate why ransom demands have skyrocketed, there are a couple of reasons that could be contributing to this. First, fewer organizations are actually paying the ransom, choosing to take the hit. Second, ransomware payments are not as untraceable as they used to be. With millions of dollars being demanded and paid out, law enforcement agencies are a lot more motivated to track down the money, return it to organizations, and at times even make arrests. Colonial Oil Pipeline managed to recover a significant share of their ransom payment. So, it’s not surprising that ransom demands are increasing to make it worthwhile for hackers and mitigate the risk. Finally, cybercriminals might still be requesting the same amount of bitcoin, but with the price of cryptocurrency going up it costs more for organizations to pay out.
Future of cryptocurrency and cybercrime
Cryptocurrency has fueled and enabled a multibillion economy of ransomware, cyber-extortion, and impersonation. These attacks are targeting not just private business, but also critical infrastructure, so they increasingly pose a national security risk. After successful attacks on Colonial Pipeline and JBS — in both cases organizations paid out ransoms — hackers will attempt to target other critical industries such as energy or water.
These high-profile attacks are likely to bring greater interest in regulation of bitcoin, though, making it harder for criminals to hide. The U.S. Department of Justice already managed to trace the attacker’s digital wallet and recover most of the ransom paid out by Colonial Pipeline. As bitcoin becomes more mainstream, it’s value will continue to grow but so will government intervention and regulations.
How to protect against cryptocurrency-related threats
Protect your users from phishing attacks. We’ve seen this time and time again — hackers use current events in their attacks. Where they used to ask for wire transfers and gift cards, now they are looking for their victims to buy and send them bitcoin. Organizations need to stay on top of the latest trends in email attacks to protect their users.
Train users on the latest email threats. Continue to train your users to recognize the latest tactics used by hackers. Make phishing simulation part of your security awareness training to ensure that end users can identify and avoid these attacks.
Secure your web applications. Online applications like file-sharing services, web forms, and e-commerce sites can be compromised by attackers and used to introduce ransomware. Organizations should look for a WAF-as-a-Service or WAAP solution that includes bot mitigation, DDoS protection, API security, and credential stuffing protection — and make sure it is properly configured.
Back up your data. In the event of a ransomware attack, a cloud backup solution can minimize downtime, prevent data loss, and get your systems restored quickly, whether your files are located on physical devices, in virtual environments, or the public cloud.
Don’t pay the ransom. When faced with ransomware attack, a lot of organizations and consumers don’t know what to do other than to pay the ransom. This feeds the appetites of cybercriminals, encouraging them to attack more and ask for even bigger ransoms. If it can be avoided, don’t pay up, and work with law enforcement agencies to get a resolution.
Fleming Shi is Chief Technology Officer at Barracuda, where he leads the company’s threat research and innovation engineering teams in building future technology platforms. He has more than 20 patents granted or pending in network and content security. Connect with him on LinkedIn.