PII Pillage: How Attackers Use BitPanda to Plunder Credentials
A sophisticated phishing campaign is targeting Bitpanda cryptocurrency users by impersonating security update alerts. The attack utilizes a deceptively similar lookalike domain to harvest not only login credentials but also sensitive personally identifiable information (PII) such as addresses and dates of birth, which can be leveraged for identity theft or further account takeovers.
Authors: Josh Varden
Source:
Cofense
- domainaccount-bitpanda[.]comMalicious lookalike domain mimicking the legitimate Bitpanda login page to harvest credentials and PII.
- urlhxxps://account-bitpanda[.]com/home45314541.phpBase URL for the phishing landing and PII harvesting pages, observed in campaign screenshots.
Key Takeaways
- Attackers are impersonating the cryptocurrency brokerage Bitpanda to steal credentials and extensive PII.
- The phishing email uses scare tactics, threatening to block the user's account if they do not update their information.
- The malicious domain 'account-bitpanda.com' closely mimics the legitimate 'account.bitpanda.com' to deceive victims.
- The campaign harvests first/last name, phone number, address, and date of birth under the guise of an MFA verification process.
- The sender email address 'bitpanda=bitpanda.com@c.havemy.email' reveals the spoofing attempt.
Affected Systems
- Bitpanda user accounts
- Email systems
Attack Chain
The attack begins with a phishing email written in German, threatening account suspension if the user does not verify their information. The user clicks a link and is directed to a fake Bitpanda login page hosted on a lookalike domain. After entering their username and password, the victim is taken through a series of forms requesting their name, phone number, address, and date of birth under the guise of multi-factor authentication. Finally, the user is shown a completion message and redirected to the legitimate Bitpanda website.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but outlines behavioral and visual indicators of the phishing campaign.
Detection Engineering Assessment
EDR Visibility: None — This is an email and web-based phishing attack; EDR on the endpoint will not have visibility into the credential harvesting beyond standard browser network connections. Network Visibility: Medium — Network logs and DNS telemetry can show requests to the lookalike domain. Detection Difficulty: Moderate — Relies on email filtering and domain reputation. Lookalike domains and convincing lures can bypass basic Secure Email Gateway (SEG) filters.
Required Log Sources
- Email Gateway Logs
- DNS Logs
- Web Proxy Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Search email gateway logs for inbound messages containing sender address anomalies, specifically looking for legitimate brand names embedded in the local part of the address before the '@' symbol. | Email Gateway Logs | Initial Access | Low |
| Hunt in DNS and web proxy logs for connections to newly registered domains that closely mimic cryptocurrency platforms, specifically looking for hyphenated variations of legitimate subdomains. | DNS Logs, Web Proxy Logs | Credential Access | Low |
Control Gaps
- Secure Email Gateways (SEGs) missed the initial delivery of the phishing email.
Key Behavioral Indicators
- Sender address mismatch (Display name vs actual sender domain)
- Lookalike domain utilizing a hyphen instead of a dot (account-bitpanda vs account.bitpanda)
- Urgency and scare tactics in email body ('account will be blocked')
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block the domain 'account-bitpanda.com' on web proxies and DNS filters.
- Search email gateways for messages from 'bitpanda=bitpanda.com@c.havemy.email' and purge them from user inboxes.
Infrastructure Hardening
- Implement strict DMARC, SPF, and DKIM checking for inbound emails.
- Enhance Secure Email Gateway (SEG) rules to flag domain mismatches in sender addresses and newly registered lookalike domains.
User Protection
- Deploy phishing-resistant MFA (e.g., FIDO2/WebAuthn hardware keys) to prevent credential reuse even if a user falls for a phishing page.
Security Awareness
- Educate users on verifying URLs before entering credentials, especially for financial or cryptocurrency accounts.
- Train users to recognize urgency and scare tactics (e.g., 'account will be blocked') as common phishing indicators.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1056.002 - Input Capture: GUI Input Capture
Additional IOCs
- Domains:
c[.]havemy[.]email- Domain associated with the sender email address of the phishing campaign.