FlagThis - #poisonseed

A new phishing campaign called 'PoisonSeed' has emerged, posing a significant cybersecurity threat by targeting customer relationship management (CRM) platforms and bulk email service providers. The campaign leverages compromised credentials to distribute emails containing cryptocurrency seed phrases, aiming to drain victims' digital wallets. This activity forms part of a broader supply chain attack, impacting enterprise organizations and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho among the targeted companies.

PoisonSeed's method involves creating convincing phishing pages mimicking login portals for popular CRM and email platforms. These deceptive pages trick victims into revealing their credentials, after which the attackers automate the export of email lists and create API keys for persistent access. Compromised accounts are then used to send bulk phishing emails with urgent lures, such as fake wallet migration notices, urging recipients to set up new cryptocurrency wallets using a provided seed phrase. If entered, this seed phrase allows attackers to access the wallet and steal funds, initiating a cryptocurrency seed phrase poisoning attack.

Silent Push analysts have identified an extensive list of Indicators of Compromise (IoCs) associated with PoisonSeed's infrastructure, including phishing domains like mailchimp-sso[.]com and C2 Servers with IP addresses such as 212.224.88[.]188. While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon, it's considered a distinct entity with a focus on cryptocurrency theft rather than ransomware attacks. This malicious campaign exploits CRM credentials to spread cryptocurrency seed phrase attacks, placing many wallets at risk of compromise.


References :

• cyberpress.org: The campaign targets individuals and organizations outside the cryptocurrency industry.
• gbhackers.com: PoisonSeed uses advanced phishing techniques.
• BleepingComputer: Threat actors are leveraging compromised credentials.
• securityonline.info: SecurityOnline.info - PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
• The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
• The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
• securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
• The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
• ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
• ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
• Cyber Security News: A new phishing campaign, PoisonSeed, has been targeting CRM and email providers to obtain email lists for bulk cryptocurrency spamming.
• securityonline.info: Threat actors target email providers to provide infrastructure for cryptocurrency spam operations.
• Security Risk Advisors: PoisonSeed Actors Hijack Bulk Email Services to Execute Cryptocurrency Seed Phrase Attacks

Classification:

• HashTags: #Phishing #CRM #Cryptocurrency
• Company: CRM
• Target: Cryptocurrency wallet users
• Attacker: PoisonSeed
• Product: CRM platforms
• Feature: Phishing
• Type: Hack
• Severity: Major