New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Celsius Cryptocurrency Breach

The cryptocurrency rewards program platform Celsius network has disclosed a security breach that led to customer information being exposed. Celsius CEO Alex Mashinsky stated that a third-party marketing server was compromised and that attackers gained access to a partial Celsius customer list. “An unauthorized party managed to gain access to a backup third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.” The intent was to make the recipients believe the fraudulent email came from Celsius, that the fraudulent site was a true Celsius site, and to take ownership of recipients’ cryptocurrency assets from their personal (non-Celsius) wallet by prompting the user to provide the seed phrase to their wallet address,” disclosed a Celsius advisory. After accessing the customer list, the attackers impersonated Celsius Networks in phishing texts and emails that claimed to be a new Celsius Web Wallet. As an incentive to trick people into using this new wallet, the message states that Celsius is offering $500 in the CEL cryptocurrency if the victim creates a wallet and enters a special promo code. Clicking the link leads recipients to the phishing site celsiuswallet[.]network, which thankfully has now been shut down, that asked visitors to create a Celsius Web Wallet. VirusTotal shows that the celsiuswallet[.]network phishing domain initially had a DNS SOA record that indicated it was registered at the Njalla registrar which is in Sweden and is a favorite with certain attackers such as Fancy Bear and Cozy Bear Russian attacker groups.

Analyst Notes

As with any phishing campaign, one of the first items to check when receiving unsolicited web links is to check the link that was sent. In this case, the received link is celsiuswallet[.]network, whereas the proper link for the Celsius platform is celsius[.]network—the addition of “wallet” makes this a malicious link. Whenever an advertisement is received that a user may think is suspicious, the user should search the company on the web and only use the legitimate company’s address.

Source Article: