Bee Token Stung with a Phishing Scam that Cost Investors $1M of Ethereum

Cryptocurrency startup Bee Token confirmed that scammers conned its investors out of at least $928,000 worth of ethereum when it ran its initial coin offering (ICO). The fraudsters who phished the investors posed as the Bee Token team, urging them to quickly capitalize on the ICO to gain a significantly higher return on investment. The scheme involved the phishers sending would-be buyers an Ethereum address or a QR code that redirects them to the address. The earliest transaction occurred on January 31, nearly the same time Bee Token ran its ICO.

Bee Token is the cryptocurrency of Beenest, a decentralized home-sharing and house rental network much like Airbnb. It is a real-world example of applying blockchain technology to an industry, which, in this case, is short-term housing and hospitality. Beenest held an ICO (presale of its Bee tokens) in January to raise enough crowdfunded capital to launch the project. Presale ICOs are usually done to test the waters to see if the project has garnered enough interest, and investors are incentivized with discounted offers.

[READ: Security 101: The Impact of Cryptocurrency-Mining Malware]

Bee Token’s case is a classic example of phishing, where perpetrators try to lend itself credibility and legitimacy while inciting a sense of urgency to would-be victims in order to cash in on their bank accounts and even personal data that they can monetize. And Bee Token wasn’t just a one-off incident. In late January, hackers phished participants of the Experty ICO (meant for setting up a Skype-like application) and got away with etherium worth $150,000.

Cryptocurrency’s real-world leverage is indeed drawing cybercriminal attention. But phishing isn’t the only favored technique—in fact, the use of cryptocurrency-mining malware and botnets that turn devices into resource-stealing zombies are increasing. 

Just this week, a worm-like Monero-mining malware (ADB.Miner) is currently gaining ground in China and South Korea, which so far is affecting Android-powered devices. It abuses Android Debug Bridge (ABD), a command-line tool that facilitates various functionalities, such as installing and debugging applications. ADB.Miner has scanning capability of the infamous Mirai, searching for open port 5555 (which is part of ADB’s port range).  And it’s not just cybercriminals. Cyberespionage campaign PZChao was recently seen deploying custom-built information stealers and remote access Trojans that also mines bitcoins.

[From The TrendLabs Security Intelligence Blog: Digmine Cryptocurrency Miner Spreading via Facebook Messenger]

The surge of malicious cryptocurrency mining activities would only translate to cybercriminals looking for more ways to zombify devices — from abusing legitimate services and exploiting vulnerabilities and system weaknesses to using tried-and-tested techniques such as phishing. These incidents highlight the significance of defense in depth, or arraying defenses at each layer of the infrastructure to mitigate and lessen exposure to threats.

In cases like Bee Token’s, apply best practices against phishing: Beware of suspicious emails with equally dodgy requests, such as those that ask for more personal information than necessary. The sender's display names can also reveal phishing red flags. Bee Token investors were duped by scammers using fake email addresses instead of ones officially used by the Bee Token team. Phishing emails, like those used in Business Email Compromise attacks, are also written with a sense of urgency. Social engineering is a vital component in phishing, so users and businesses should be more security-aware: If the phishing email offers something that seems too good to be true, it usually is.

Trend Micro Solutions

Given how the phishing scam used on Bee Token used email as an entry point, organizations need to secure the email gateway to mitigate this kind of threat.  Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network.  Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent malware from ever reaching end users. At the endpoint level, Trend Micro™ Smart Protection Suites, deliver several capabilities that minimize the threat’s impact.  These solutions are powered by the Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.