CyberSecurity news
FlagThis
Bill Toulas@BleepingComputer
//
The PoisonSeed campaign is a sophisticated phishing operation targeting CRM and bulk email providers like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. It aims to compromise enterprise organizations and individuals through cryptocurrency-related scams. Threat actors behind this campaign leverage compromised credentials to steal email lists and send bulk phishing emails, ultimately targeting cryptocurrency wallets using a novel seed phrase poisoning technique. The campaign employs advanced phishing techniques to steal credentials, exfiltrate email lists, and execute cryptocurrency scams.
PoisonSeed’s operation involves setting up phishing pages that closely mimic login portals of prominent CRM and bulk email platforms. These fake login pages are used to steal credentials from targeted users. Once access is gained, the attackers automate the export of email lists and maintain persistence by creating new API keys, even if passwords are reset. The compromised accounts are then used to send phishing emails at scale, often employing urgent lures, such as notifications about “restricted sending privileges” or fake wallet migration notices.
The core of PoisonSeed’s strategy lies in its seed phrase poisoning attack. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets, allowing the attackers to monitor and eventually take control of these wallets once funds are deposited. This method represents a shift from traditional phishing tactics, as it delays the theft until victims unknowingly use the compromised seed phrases. While PoisonSeed shares certain infrastructural similarities with CryptoChameleon, a threat group known for targeting high-net-worth cryptocurrency holders, PoisonSeed’s tactics such as targeting CRM platforms and delaying cash-out efforts differ significantly from CryptoChameleon’s rapid exploitation methods.
ImgSrc: www.bleepstatic
References :
PoisonSeed’s operation involves setting up phishing pages that closely mimic login portals of prominent CRM and bulk email platforms. These fake login pages are used to steal credentials from targeted users. Once access is gained, the attackers automate the export of email lists and maintain persistence by creating new API keys, even if passwords are reset. The compromised accounts are then used to send phishing emails at scale, often employing urgent lures, such as notifications about “restricted sending privileges” or fake wallet migration notices.
The core of PoisonSeed’s strategy lies in its seed phrase poisoning attack. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets, allowing the attackers to monitor and eventually take control of these wallets once funds are deposited. This method represents a shift from traditional phishing tactics, as it delays the theft until victims unknowingly use the compromised seed phrases. While PoisonSeed shares certain infrastructural similarities with CryptoChameleon, a threat group known for targeting high-net-worth cryptocurrency holders, PoisonSeed’s tactics such as targeting CRM platforms and delaying cash-out efforts differ significantly from CryptoChameleon’s rapid exploitation methods.
ImgSrc: www.bleepstatic
Share:
References :
- The DefendOps Diaries: In-depth analysis of the PoisonSeed phishing campaign and its sophisticated techniques.
- www.bleepingcomputer.com: PoisonSeed phishing campaign distributing emails with wallet seed phrases.
- bsky.app: PoisonSeed phishing campaign behind emails with wallet seed phrases
- Cyber Security News: PoisonSeed Launches Supply Chain Phishing Attacks on CRM and Bulk Email Services
Classification:
- HashTags: #Phishing #SupplyChain #Cryptocurrency
- Target: Various organizations
- Attacker: PoisonSeed
- Feature: phishing
- Malware: PoisonSeed
- Type: Phishing
- Severity: Medium