PoisonSeed campaign hijacks business CRM and email accounts to send out huge amounts of spam

5 hours ago 2

Abstract image of cyber security in action.

OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)

Hackers are targeting business CRM accounts to steal mailing lists
Emails used to send spam and trick people into setting up compromised crypto wallets
The goal is to steal the money, so be on your guard

Hackers are stealing mailing lists from major companies and using them to break into people’s cryptocurrency wallets and snatch their funds.

A new report from cybersecurity researchers Silent Push, who dubbed the campaign ‘PoisonSeed’, outlined how the criminals first set up spoofed landing pages for companies such as Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, and others. They harvest people’s login credentials, which allow cybercriminals to log into mailing service accounts and exfiltrate any mailing lists.

Then they would send emails, impersonating those companies, and urging users to set up a new Coinbase Wallet, using the seed phrase embedded in the email. A seed phrase is a series of 12 to 24 words generated by the wallet that gives access to the funds inside. It acts as a master key, so anyone who has it can restore the wallet and control the cryptocurrencies inside.

Seed phrase poisoning attack

"Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack," Silent Push explained.

"As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising."

Once users set up new wallets, and top them up with their funds, the criminals can simply send the money elsewhere, which is a permanent loss for the victims.

The researchers believe the campaign is the work of two “loosely aligned” threat actors, called Scattered Spider, and CryptoChameleon, both of which are reportedly part of a broader cybercrime ecosystem called The Com.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Since cryptocurrency is permissionless and decentralized, once the funds are sent from one wallet to another, the only way to retrieve them is to have the other side send the money back.

In 2024, the US government has seized tens of millions of dollars' worth of crypto, as part of a broader investigation into market manipulation, theft, fraud, and more.

Via The Hacker News

Hundreds of masterminds behind most pump-and-dump crypto coin schemes worldwide collect a staggering $250 million annually
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article