Blogger.com powered cryptocurrency scam

Over the last several months, I’ve seen a steady flow of spam emails containing only a single line of text encouraging recipients to visit a blogspot.com address. Should the recipient choose to follow the link, they would soon find themselves on a cryptocurrency scam site with amazing propositions.

It’s always the fake news

The scammers would often deploy fake news websites to publish stories on how celebrities were making millions in bitcoins using a specific service that you could now sign up for as well. These services would again reuse the name and design of existing (scam) services like thebitcoinscode[.]com to trick people into signing up.

A fake Bitcoin Code website

A fake Bitcoin Code website for Swedish visitors.

Publish your spam, your way

The clever part of the campaign was really how it used the free Google-owned Blogger service to avoid detection by most spam filters and automatically redirect traffic to malicious websites.

The Blogger service handily allows full editing of the HTML source of its hosted websites and thus the scammers only had to insert a single line of code to redirect visitors from the Blogger service to a malicious website:

<meta content='0;URL=hxxp://scam.tld/' http-equiv='refresh'/>

Next, rinse and repeat for an additional few hundred free blogspot.com subdomains and you’re good to go:

Blogspot.com redirect to cryptoscam

As can be observed from the animated gif above, the target website will contain yet another redirect service to check if the visitor is originating from a desired geographical region. If so, it’ll choose from a collection of potential destination websites with multi-language support and send you on your way. If you don’t fulfill the requirements, you’ll get redirected to a search engine instead.

Flowchart

A quick rundown of the steps involved in this email spam campaign:

Blogger.com cryptoscam flowchart

Blocking blogspot.com spam

As with most email spam campaigns, it’s originating from all over the world. There is no quick fix other than perhaps blindly blocking any message containing blogspot.com links using message content protection filters. Alternatively, we can always wait for Google to clean up this mess (they are trying).