Coinbase Wallet Holders Targeted in new Phishing campaign bypassing Muti-Factor Authentication

Since their inception, cryptocurrencies have been the target of sophisticated hackers. Phishing scams are becoming an increasingly common method adopted by cybercriminals. Many of these target wallets, initial coin offerings, and cryptocurrency exchanges. According to CertiK’s Web3 Security Q2 report 2022, the attacks grew 170%, up from 106% in the first quarter. Earlier this week, PIXM researchers discovered a phishing campaign targeting users of various cryptocurrency platforms, including, Coinbase, KuCoin, Crypto.com, and MetaMask.

According to the PIXM report, cybercriminals are using a phishing campaign that uses legitimate web hosting services, such as Microsoft Azure Web Apps, to host several fake landing pages and phishing websites. The threat actors lure victims via phishing emails impersonating fake transaction confirmations. Cybercriminals try to trick victims into divulging their login credentials. This method is like what we have seen in the past, where the victims receive an email saying their Coinbase/ MetaMask account has been suspended due to suspicious activity. The email’s sole purpose is to create a sense of urgency in victims, demanding immediate action from them.

As per the researchers at PIXM, the attack targeted Coinbase users with a spoofed email resembling Coinbase. The malicious email asks the user to log in to their Coinbase account for different reasons. Some reasons are- either to confirm a transaction or that the user’s account has been locked. The sense of urgency is designed to distract the user from the email’s authenticity, such as the login link and sender address. 

Also read: Over $1 billion in ransomware payments were processed by US banks in 2021: Federal Report

 

Source- PIXM Security Blog

When the victim clicks on the desired button, they are directed to a phishing site where a chat window is supposedly displayed for ‘customer support’, controlled by a hacker who leads the victims through a fraudulent process.

Once the user arrives at the spoof login page, they are prompted to enter their login credentials. As soon as the credentials are entered, they are sent to the attackers immediately.  On the hacker's end, they enter the genuine login password into the Coinbase page, sending a 2-factor authentication (2FA) notification with a verification code to the user's inbox. The user believes they initiated the notification; hence, they enter the authentic code into the phishing Coinbase website. From there, the code is sent to the attacker, where it is then entered into the actual website.  

The attack doesn’t end there. Even when the attackers log in to the victim's Coinbase account, they try to keep them distracted and busy as they empty their wallets from all cryptocurrencies. Some cryptocurrency platforms require additional confirmation during withdrawal, which is apparently what hackers were trying to solve.

When nothing else worked, the attackers asked the victim to install the TeamViewer or a similar remote access app. Next, the scammers prompt the victim to log in to their Coinbase wallet; while doing so, the scammers add a random character in the password field to cause login failure. The victim is directed to paste the password on the TeamViewer chat. The attackers can then use the password without the random character to log in to their account.

Once they gain access to the Coinbase account, the scammers drain the funds while keeping the victim engaged in the chat section.

Check the sender's address if you receive an email or any communication from your respective crypto platform. Ensure the communication is legitimate. Because of the sophisticated method of creating legitimate-looking domains, you are advised not to click on any link to a login page. Unfortunately, if you fall for any of these cryptocurrency scams, there is nothing the crypto platform can do to return your funds once transferred from your wallet.

For more news and updates, Visit https://blog.excellimatrix.com/ or follow us on Facebook & LinkedIn or Contact us at 406-646-2102 and get your questions answered.

Comments are closed
Our team knows the importance of the work we do for our clients. We know that our efforts have a direct impact on your productivity, profitability and success, so we take our tasks seriously! We look forward to providing your company with strong
ROI and value.