Recently I’m playing with a simple pastebin bot, basicaly it’s a crawler for the pastebin.com website that applies a few regular expressions to new pastes and saves interesting ones. Services like this are all around the internet, one example is the leakedin website where you can find potential data leaks almost in real time and it’s not new that hackers are already crawling for this kind of contents waiting for dumps, leaks or any sort of interesting data to use for malicious purposes.

While collecting data with my bot, I found something which is very interesting and potentially a whole new phishing/social technique that I never saw before.

Someone is periodically posting contents like the following on pastebin.com ( sample taken from here ):

JIHAD ACHMED presents to you With a dump of beta accounts from thebitcoinshop.pixub.com Claimed to be "Secure Cold Storage" Lets see how "Secure" they are now when all 50 of their Beta Accounts get leaked! password / email ... REDACTED USER / PASSWORD LIST ... About Bitcoin-Value Storage Firstly, we want to appologize for the website being cookie cutter. But we belive that Service comes BEFORE Looks! Bitcoin-Value Storage started when we realized that people could trace how much came to the addresses we were using. When we wanted to have long term cold storage we realized that anyone who was tracking our addresses would realize exactly how much we were putting into cold storage. To resolve this we decided to create Bitcoin-Value Storage. Enabling secure semi cold storage through constant washing of bitcoins through multiple wallets, and servers. When coins are in our storage they are never sent to the same address twice. They are shuffled through multiple servers. Our servers come online a few times a week to keep their blockchain up to date and process any transactions that are required. Only wallets that have pending withdrawls come online durring this time to be updated. Otherwise the washing occurs randomly from your wallet on one server, to your wallet on another server.

The redacted part is a space separated usernames and passwords list of alleged beta accounts to the “thebitcoinshop” website which is apparently a BitCoin trading platform.

You might think “wow cool, let’s log in into those accounts and get all the BTC they have!!!” ….. yeah, sure ….

Once you’ve logged in with one of these accounts ( btw they all seem to be filled with 10 to 30 BTC each ), you will be able to send BTC to a given address.

Guess what? Whatever you type inside the address field it will be accepted by the system :)

Then, you will be redirected to the following page …

Don’t you see something fishy? This is a fake login, this page will steal your credentials of the legit blockchain.info website and then it will redirect you there.

Summarizing

Someone is periodically posting contents to pastebin.com trying to trigger pastebots with specific keywords, these contents will lure the bot owner to enter his blockchain.info credentials into a phishing page.

Hackers phishing leakers … isn’t it funny? :D