Attachment: PDF file with Link to Fake Bitcoin Exchange

calendar Aug 21, 2023 · Cryptocurrency  ·
Share on: linkedin copy

Fraudulent message containing a PDF notification of unclaimed Bitcoin assets. The PDF file contains a link to a fake Cryptocurrency portal. Attempting to withdraw funds prompts the user to enter payment information.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF file with Link to Fake Bitcoin Exchange"
 2description: |
 3  Fraudulent message containing a PDF notification of unclaimed Bitcoin assets. 
 4  The PDF file contains a link to a fake Cryptocurrency portal. Attempting to withdraw
 5  funds prompts the user to enter payment information.  
 6references:
 7  - "https://app.any.run/tasks/93d72f24-c021-48ad-a8eb-9b30c8660938"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and sender.email.domain.root_domain in $free_email_providers
13  and length(attachments) == 1
14  and all(attachments,
15          .file_extension == "pdf"
16          and regex.icontains(.file_name, '(\d\.\d{3,4}.{0,12}BTC|bitcoin)')
17          and any(file.explode(.),
18                  .scan.exiftool.page_count >= 5
19                  and .depth == 0
20                  and length(filter(.scan.strings.strings, regex.match(., '^\/URI \(http.*'))) == 1
21          )
22  )  
23tags:
24  - "Cryptocurrency"
25attack_types:
26  - "BEC/Fraud"
27tactics_and_techniques:
28  - "Free email provider"
29  - "Impersonation: Brand"
30  - "PDF"
31  - "Social engineering"
32detection_methods:
33  - "Exif analysis"
34  - "File analysis"
35  - "Sender analysis"
36  - "URL analysis"
37id: "47601cb7-5278-58b1-b503-0456c235a18d"
to-top