{"id":18223,"date":"2021-04-19T16:01:51","date_gmt":"2021-04-19T12:01:51","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/cryptoscam-fake-antminer\/18223\/"},"modified":"2021-04-19T16:03:29","modified_gmt":"2021-04-19T12:03:29","slug":"cryptoscam-fake-antminer","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/cryptoscam-fake-antminer\/18223\/","title":{"rendered":"Cryptoscam with fake mining equipment"},"content":{"rendered":"

Rising cryptocurrency prices have led to an increase in demand for mining equipment, but COVID-19 restrictions have led to a drop in supply. As a result, the world is witnessing another shortage of powerful video cards and cryptomining equipment<\/a>, with months-long wait times for new deliveries. Cybercriminals, as always, are looking to capitalize on the crisis.<\/p>\n

For example, fraudsters have been extracting cryptocurrency from buyers using a popular Google service and a clone of a mining equipment manufacturer\u2019s website.<\/p>\n

How the scam works<\/h2>\n

Scammers and spammers have long relied on Google services<\/a> (Forms, Sheets, Calendar, Photos and others) for their ability to send automatic notifications to anyone the author of a file (or a calendar entry, etc.) shares it with or mentions in it. The e-mails come not from the actual author, but from no less an authority than Google, so spam filters typically let them through.<\/p>\n

In this case, potential cryptocurrency miners are receiving e-mails saying they have been mentioned in a Google Docs file by a user with the nickname BitmainTech (the name of a real manufacturer of mining rigs). The respectable name \u2014 @docs[.]google[.]com \u2014 in the From field helps lower the recipient\u2019s guard. The displayed username is whatever the sender wants it to be, and the sender\u2019s real e-mail address remains hidden.<\/p>\n

\"The<\/a>

The e-mail reads: \u201cBitmainTech mentioned you in a document\u201d<\/p><\/div>\n

Bait follows in the form of an announcement of a sale on Antminer S19j mining machines. Posing as the Bitmain sales department, the scammers report that the equipment is available to be ordered, but time\u2019s running out; stock is limited and delivery is on a first-come-first-served basis. The text is replete with trust-inspiring facts and figures.<\/p>\n

\"Fake<\/a>

Fake Bitmain sales team uses Google Docs to tell victim about Antminer S19j availability<\/p><\/div>\n

The same text appears in the Google Docs file, only with an active link that leads, through a chain of redirects, to bitmain[.]sa[.]com, a clone of the official bitmain[.]com website (note the differences in the address). A WHOIS check reveals that the domain of the fake site was registered<\/a> in March 2021.<\/p>\n

For extra credibility, the cybercriminals use the HTTPS protocol. Readers of this blog already know HTTPS protects data from interception as it travels from user to site but does not guarantee a site is bona fide. If the destination site is malicious, using a secure protocol just means the data will travel securely to the cybercriminals.<\/p>\n

\"Fake<\/a>

Fake Bitmain site with Antminer S19j ad<\/p><\/div>\n

On the real Bitmain website, at the time of posting, the Buy button was inactive because the last Antminer S19j batch had already been snapped up; the site does not expect new deliveries to occur before October. But on the fake resource, the coveted mining machine slides right into the shopping cart, and for the same price as the real one, $5,017.<\/p>\n

\"The<\/a>

The fake website lets you add the mining machine to your shopping cart<\/p><\/div>\n

To proceed to checkout, the victim has to sign in or register. There are two possible reasons to implement this requirement: for greater authenticity or to build a database of addresses and passwords for account hacking purposes. Despite registering (using a disposable e-mail address, of course), we never received a registration confirmation message.<\/p>\n

\"Fake<\/a>

Fake Bitmain authorization page<\/p><\/div>\n

In any event, the system allows the user to sign in and finalize the order. The login procedure looks quite convincing.<\/p>\n

\"The<\/a>

The Antminer S19j is in the cart! Or is it?<\/p><\/div>\n

At the next stage, the victim is asked to provide a delivery address. Perhaps the scammers are collecting this data for sale as well.<\/p>\n

\"A<\/a>

A warning that the manufacturer cannot ship to mainland China if the order is placed on the English-language site<\/p><\/div>\n

Most cryptomining rig manufacturers, including Bitmain, are located in China. Moving heavy and expensive equipment from there is not cheap, yet the cybercriminals charge roughly five dollars for shipping, regardless of destination and service (UPS, DHL, or FedEx).<\/p>\n

\"Choosing<\/a>

Choosing a delivery service. The shipping cost is $5.45 no matter where the shipment is headed<\/p><\/div>\n

Next, the victim is asked to choose a payment method. They must use cryptocurrency but can choose BTC, BCH, ETH, or LTC.<\/p>\n

\"Selecting<\/a>

Selecting a payment method: Bitcoin, Ethereum, Bitcoin Cash, or Litecoin<\/p><\/div>\n

The final and most important step is making the payment. The cybercriminals provide cryptowallet details and warn that the transaction must be completed within two hours, otherwise the order will be canceled. Note that the cost of delivery, though minuscule, does not appear in the bill.<\/p>\n

\"The<\/a>

The total order price does not include shipping<\/p><\/div>\n

After the victim has parted with a considerable amount of cryptocurrency, the air of legitimacy evaporates. The user\u2019s personal account contains no order data, and the buttons are inactive.<\/p>\n

\"The<\/a>

The inglorious finale<\/p><\/div>\n

How to stay safe from scams<\/h2>\n

To avoid being duped, stay vigilant so as not to fall for hype.<\/p>\n