FlagThis

The PoisonSeed phishing campaign represents a new and evolving cyber threat, targeting individuals with access to critical systems like Customer Relationship Management (CRM) platforms and bulk email services. This large-scale operation compromises corporate email marketing accounts to distribute emails containing crypto seed phrases, ultimately used to drain cryptocurrency wallets. Attackers focus on high-value targets, employing detailed reconnaissance to ensure their phishing emails reach the most impactful individuals. By mimicking legitimate services through carefully crafted emails and fake login pages, PoisonSeed exemplifies the evolving nature of phishing threats, deceiving victims into believing they are from legitimate sources.

PoisonSeed's attack methodology is distinguished by its sophisticated approach, targeting individuals with access to CRM systems and bulk email platforms. The first stage involves meticulous target identification, focusing on those with access to CRM systems and bulk email platforms, as these targets provide significant leverage for further attacks. The reconnaissance process includes analyzing the email services used by companies and identifying employees in relevant positions. Once targets are identified, the attackers craft professional phishing emails designed to deceive recipients, sending them from spoofed addresses to enhance their authenticity, often containing links to fake login pages hosted on carefully named domains.

The phishing pages deployed by PoisonSeed are designed to capture sensitive information, particularly cryptocurrency wallet seed phrases. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets, allowing the attackers to monitor and eventually take control of these wallets once funds are deposited. Compromised accounts are then used to send bulk phishing emails, employing urgent lures, such as notifications about "restricted sending privileges" or fake wallet migration notices. Domains such as mail-chimpservices[.]com have been used to deceive MailChimp users, showcasing the campaign's attention to detail.

ImgSrc: blogger.googleu

References :

• The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
• www.bleepingcomputer.com: PoisonSeed phishing campaign distributing emails with wallet seed phrases.
• bsky.app: PoisonSeed phishing campaign behind emails with wallet seed phrases
• Cyber Security News: PoisonSeed Launches Supply Chain Phishing Attacks on CRM and Bulk Email Services
• gbhackers.com: PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack
• securityonline.info: PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
• The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
• securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
• securityonline.info: Silent Push Threat Analysts have uncovered a sophisticated campaign targeting enterprise organizations, VIP individuals, and cryptocurrency holders, dubbed “PoisonSeed.â€
• ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
• www.silentpush.com: Silent Push blog about PoisonSeed campaign.
• The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
• Security Risk Advisors: #PoisonSeed campaign compromises email providers to launch crypto seed phrase poisoning attacks. Targets include #Mailchimp #SendGrid and #Coinbase users.

Classification:

• HashTags: #Phishing #SupplyChainAttack #CryptoScam
• Target: Enterprise Organizations, Crypto Holders
• Attacker: PoisonSeed
• Feature: Seed Phrase Poisoning
• Type: Phishing
• Severity: High