This morning of 20th of January 2021 starting with the Crypto marketcap losing its $1 trillion market cap evaluation yet again, coming into the afternoon I've received an email titled "Swaprol Airdrop - Claim your SWPRL" which I thought is a great gift to cheer me up now that most of my holdings are tanking.
As I am very cautious with any communication having been affected in various data leaks including the most recent Ledger data leak and also luckily due to the fact that I've never registered with Blockchain.com this email has sparked a hint of caution after opening the email.
Although the entire email looks to be quite professional in terms of writing and the media content which sadly increases the chances of someone falling through the scam, the first sign of caution was the @gmail address this communication was coming from which appears to be quite unprofessional for a big company like Blockchain.com to be communicating from.
Further caution was taken when attempting to figure out where do the links actually lead to, as it turns out they lead to a website which looks somewhat fishy.
Having turned on VPN on and visited what was looking like a malicious website by the looks of the redirect URL from above scans, the visited page apart from the fishy URL didn't raise much of suspicion having been prompted an anti-robot captcha in the first place. In fact to make things worse the App Store popups seemed to make things look a bit more legitimate.
Having passed the anti-robot captcha the next screen presented was the login screen which attempts to trick the users into giving up the Wallet ID & Password to their blockchain.com account on a malicious website.
I believe the above scam attempt is a consequence of the Ledger Wallet data leak back from June of 2020 which I've personally been affected in and been targeted with various threats & scams, and by the looks of things the scammers appear to be getting a bit more clever with their scam executions.
With that I would like to close this post with a small retrospect on the bads & goods from the actions taken during inspecting this scam attempt, which hopefully will keep myself & some of you safer in the near future.
The things I've done badly in this investigation:
Have you noticed how I've mentioned in the first point that the hint of caution only came after I've opened the email ? At this point this could be game over in terms of exposing my public IP address - many marketing tools have a feature to track the customer's open of email, they typically do this by including an invisible pixel as a media source which most email clients would perform the request to fetch the data from your IP address.
This essentially means that if the scammer had interest and employed elaborate enough technique my email client could've performed a request against a malicious website to request the media content which would've exposed my public IP address to the scammer. This could've been avoided by connecting to VPN prior to viewing the content of the email.
The things that I would like to think were done well in this investigation:
Having noticed something odd with the content of the email, there were no links being clicked on to avoid visiting the website from my main PC and instead the mail content were browsed carefully within the HTML source to extract the links and scan them using a redirect-checker tool to get an idea where will they likely lead me to.
Being curious as to the nature of the malicious website I've picked my alternate phone dedicated for non strictly secure activities, after ensuring a VPN connection was established the link was visited and screenshots were captured from.
Hey folks, if you dislike the content I would really appreciate some feedback even the harshest one as I hope it will help in addressing the issues going forward