BitFinex customers have reported phishing emails appearing to be from bitfinex.com; Emails contain 2 attachments which have been suggested to be viruses
These email's contain the real name of the customer and is sent to their Bitfinex registered email address which also suggests that the attacker has also compromised the customer database and she is either using this information directly to attempt a second level attack on the customers of Bitfinex or she has sold the information on to another party who is attempting to cash in.
In my opinion the latter seems like a more likely scenario; Which means these targeted customers could be in for a lot more attempted attacks; given they attacker knows these people are likely to have local wallet containing value or passwords to other accounts that hold value i am expecting further reports of more advanced attacks against these individuals based off the recent data breach.
The Email
- The email is reported to be sent from
(which has a leading 'i')
- The Email contains 2 attachments which are reported to be viruses
Phishing Email Contents
Dear Mr Steempower,
We apologize to you for our inconveniences appeared in result of security incident. We intensively work with the law enforcement agencies to find out guilty people to make answer. In near future our website will be restarted. We will strive to keep you as informed as we can
Unfortunately, our losses have a big scale. So, we cannot return you a total sum of lost money.
But we propose a solution.
We are planning to set electronic bonds which will let you claim for dividend payment from the common benefit of our company. You will receive the percentage of dividends, equal to the sum of lost funds.
If you accept our offer, please, check your personal information carefully, fill in the Application for refund and send it back to us.
Thank you for understanding and support.
The Bitfinex Team
Attachments - Viruses
The email contains two ZIP file attachments which are purported to be registration forms that you will need to complete to claim damages by way of a dividend plan (anyone remember BTC_B from BTER??? - still waiting...)
These files look to contain office documents which contains viruses targeting MS Office;
iFinex_Agreement.zip: contains a virus that is quite old (released in 2012) and targets and ActiveX component commonly found in MS Office the attack is known as "MSCOMCTL.OCX RCE Vulnerability" or CVE-2012-0158; this vulnerability allows for Remote Code Execution via a webpage, document file or rtf file.
Application_for_refund.zip: contains what looks to be W2KM_FAREIT.AMR (this may not be the exact Trojan as it was detected by a heuristic scan). This is a much more recent macro based TrojanDropper that is contained within a .DOC file, if executed will access the internet and download further software and 'drop' them onto the users temp folder before executing the newly dropped files.
If you have opened these files you should preform a full virus scan on your PC and check the virus notes linked above for common locations of the infected files.