FlagThis - #poisonseed

A new phishing campaign called 'PoisonSeed' has emerged, posing a significant cybersecurity threat by targeting customer relationship management (CRM) platforms and bulk email service providers. The campaign leverages compromised credentials to distribute emails containing cryptocurrency seed phrases, aiming to drain victims' digital wallets. This activity forms part of a broader supply chain attack, impacting enterprise organizations and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho among the targeted companies.

PoisonSeed's method involves creating convincing phishing pages mimicking login portals for popular CRM and email platforms. These deceptive pages trick victims into revealing their credentials, after which the attackers automate the export of email lists and create API keys for persistent access. Compromised accounts are then used to send bulk phishing emails with urgent lures, such as fake wallet migration notices, urging recipients to set up new cryptocurrency wallets using a provided seed phrase. If entered, this seed phrase allows attackers to access the wallet and steal funds, initiating a cryptocurrency seed phrase poisoning attack.

Silent Push analysts have identified an extensive list of Indicators of Compromise (IoCs) associated with PoisonSeed's infrastructure, including phishing domains like mailchimp-sso[.]com and C2 Servers with IP addresses such as 212.224.88[.]188. While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon, it's considered a distinct entity with a focus on cryptocurrency theft rather than ransomware attacks. This malicious campaign exploits CRM credentials to spread cryptocurrency seed phrase attacks, placing many wallets at risk of compromise.


References :

• Cyber Security News: The campaign targets individuals and organizations outside the cryptocurrency industry.
• gbhackers.com: PoisonSeed uses advanced phishing techniques.
• www.bleepingcomputer.com: Threat actors are leveraging compromised credentials.
• securityonline.info: SecurityOnline.info - PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
• The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
• The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
• securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
• The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
• ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
• ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
• Cyber Security News: A new phishing campaign, PoisonSeed, has been targeting CRM and email providers to obtain email lists for bulk cryptocurrency spamming.
• securityonline.info: Threat actors target email providers to provide infrastructure for cryptocurrency spam operations.
• Security Risk Advisors: PoisonSeed Actors Hijack Bulk Email Services to Execute Cryptocurrency Seed Phrase Attacks

Classification:

• HashTags: #Phishing #CRM #Cryptocurrency
• Company: CRM
• Target: Cryptocurrency wallet users
• Attacker: PoisonSeed
• Product: CRM platforms
• Feature: Phishing
• Type: Hack
• Severity: Major

The PoisonSeed phishing campaign represents a new and evolving cyber threat, targeting individuals with access to critical systems like Customer Relationship Management (CRM) platforms and bulk email services. This large-scale operation compromises corporate email marketing accounts to distribute emails containing crypto seed phrases, ultimately used to drain cryptocurrency wallets. Attackers focus on high-value targets, employing detailed reconnaissance to ensure their phishing emails reach the most impactful individuals. By mimicking legitimate services through carefully crafted emails and fake login pages, PoisonSeed exemplifies the evolving nature of phishing threats, deceiving victims into believing they are from legitimate sources.

PoisonSeed's attack methodology is distinguished by its sophisticated approach, targeting individuals with access to CRM systems and bulk email platforms. The first stage involves meticulous target identification, focusing on those with access to CRM systems and bulk email platforms, as these targets provide significant leverage for further attacks. The reconnaissance process includes analyzing the email services used by companies and identifying employees in relevant positions. Once targets are identified, the attackers craft professional phishing emails designed to deceive recipients, sending them from spoofed addresses to enhance their authenticity, often containing links to fake login pages hosted on carefully named domains.

The phishing pages deployed by PoisonSeed are designed to capture sensitive information, particularly cryptocurrency wallet seed phrases. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets, allowing the attackers to monitor and eventually take control of these wallets once funds are deposited. Compromised accounts are then used to send bulk phishing emails, employing urgent lures, such as notifications about "restricted sending privileges" or fake wallet migration notices. Domains such as mail-chimpservices[.]com have been used to deceive MailChimp users, showcasing the campaign's attention to detail.


References :

• The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
• www.bleepingcomputer.com: PoisonSeed phishing campaign distributing emails with wallet seed phrases.
• bsky.app: PoisonSeed phishing campaign behind emails with wallet seed phrases
• Cyber Security News: PoisonSeed Launches Supply Chain Phishing Attacks on CRM and Bulk Email Services
• gbhackers.com: PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack
• securityonline.info: PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
• The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
• securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
• securityonline.info: Silent Push Threat Analysts have uncovered a sophisticated campaign targeting enterprise organizations, VIP individuals, and cryptocurrency holders, dubbed “PoisonSeed.â€
• ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
• www.silentpush.com: Silent Push blog about PoisonSeed campaign.
• The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
• Security Risk Advisors: #PoisonSeed campaign compromises email providers to launch crypto seed phrase poisoning attacks. Targets include #Mailchimp #SendGrid and #Coinbase users.

Classification:

• HashTags: #Phishing #SupplyChainAttack #CryptoScam
• Target: Enterprise Organizations, Crypto Holders
• Attacker: PoisonSeed
• Feature: Seed Phrase Poisoning
• Type: Phishing
• Severity: High