Emails purporting to be from international Bitcoin trading service LocalBitcoins have hit email inboxes across the world, attempting to trick users into handing over their login credentials and give hackers access to their Bitcoin wallets.
The scam, picked up by email security company MailGuard, spoofs an email from LocalBitcoins, using the exchange’s branding and compromised email accounts to give the message a sense of legitimacy.
The email tells users the site is currently undergoing maintenance in order to improve the quality of its service and, ironically, to “reduce the rate of spam virus” on the service. Users are urged to verify and update their accounts via a provided link.
“Failure to do so may result in the cancellation of your local bitcoins wallet account,” the scam claims.
When the link is followed, users are taken to a well-designed fake login page for LocalBitcoins, which not only asks for the user’s login for the Bitcoin trading site, but also for their email, providing cyber crims with the elusive double whammy of credential pilfering.
The site also includes a fake Google ‘reCaptcha’ verification tool, likely to give the fake site further legitimacy.
“Through this phishing email scam, cybercriminals are not only exploiting the well-established reputation and huge database of LocalBitcoins users, but also the soaring value of Bitcoin currency,” MailGuard writes.
“At current valuation, 1 Bitcoin is currently worth AUD$5,096 — making the stakes huge for someone who is informed that their entire Bitcoin wallet might just be cancelled. It is this exact fear of losing vast amounts of money that cyber criminals prey on in order to trick recipients to submit their confidential details online.”
For users worried about falling prey to this, or similar email phishing scams, the easiest thing to do is to enable two-factor authentication on any accounts holding sensitive information, or thousands of dollars in cryptocurrency.
Two-factor authentication, or 2FA, requires a second level of authentication when logging into accounts, requiring users to input a unique code from their mobile phone in order to gain access to their account. This means even if your credentials are taken, criminals would be unable to access your accounts without your unique code.