North Korean hackers have allegedly attacked users of South Korean exchange UpBit with a clever phishing exploit.
According to data released by the security company East Security, the hacker attempted a cyberattack by sending a phishing e-mail on May 28. The subject of the mail suggested that UpBit needed more information for a customer’s fictional sweepstakes payout. The mail did not come from UpBit but from another server.
The email contained a file claiming to contain documentation for the payout. According to East Security, running this file displayed what looked like a normal document but then would run malicious code. It then sent data about the user’s machine as well as private keys and logins to the hackers and then connected the machine to a command and control system for larter remote access.
East Security believes that this cyber attack came from a North Korean hacking group Kim Soo-ki.
“In analyzing attack tools and malicious codes used by hacker groups, there are unique characteristics we saw,” said Mun Jong-hyun, head of the ESRC Center at East Security. He noted that these are similar to another attack called Operation Fake Striker that attacked Korean government agencies. The hackers also used the same techniques in January to target reporters.
“As bitcoin prices rise, more and more customers are using exchanges. This means that the number of victims has increased, which means that the possibility of stealing passwords stored in the exchange has increased,” said Mun Jong-hyun.
In a clever move the hackers password-protected the malicious file with the word “UPBIT.” This means that traditional anti-virus tools would not be able to detect the malicious code.
“We have not heard of any reported damage,” noted Mun Jong-hyun. “In order to avoid cyber attacks, you should not install or click suspicious files or documents.”
Research by Park Moon-mo at CoinDesk Korea.
Image via Shutterstock