Fake GrubHub emails promise tenfold return on sent cryptocurrency

Grubhub users received fraudulent messages, apparently from a company email address, promising a tenfold bitcoin payout in return for a transfer to a specified wallet.

The emails claimed to be part of a ‘Holiday Crypto Promotion’ and came from an email address on ‘b.grubhub.com’, which is a legitimate subdomain that Grubhub uses to communicate with its merchant partners and restaurants.

“There are 30 minutes left in our Holiday Crypto Promotion. Grubhub will 10x any Bitcoin sent to this address […]. For example, if you send $1000, we’ll send back $10,000,” reads the fraudulent message.

Some of the emails were delivered from the ‘[email protected]’ and ‘[email protected]’ addresses starting December 24, and included the recipient’s name.

This is a classic crypto reward scam where victims are lured to send funds to the scammer with the false promise of receiving a larger amount back.

Although some users speculate [1, 2] about the scam messages being due to a DNS takeover attack, which would allow an attacker to send emails that pass authenticity checks, the company has not provided any details on what happened.

In a statement for BleepingComputer, though, a Grubhub spokesperson said that it isolated the problem and is working to avoid it in the future.

“We’re aware of unauthorized messages that appear to have been sent by Grubhub to some of our merchant partners. We immediately investigated, contained the issue, and are taking steps to ensure it doesn’t happen again,” Grubhub told BleepingComputer.

At the beginning of the year, the food delivery company announced that a threat actor had accessed names, email addresses, and phone numbers belonging to its customers, merchants, and drivers.

The intrusion occurred from an account used by a third-party to provide support services to Grubhub.