A new crypto-stealing phishing campaign tracked by researchers over at PIXM is attempting to bypass multi-factor authentication and gain access to accounts from Coinbase, MetaMask, Crypto.com and KuCoin and steal any cryptocurrency in said wallets. 

While the campaign initially only targeted the Coinbase exchange, PIXM reports that in the 30 days they’ve been tracking the scam, it now includes the aforementioned wallets and exchanges. 

The campaign runs off of the Microsoft Azure Web Apps service, which hosts an entire network of phishing websites. Threat actors lure victims by sending them fake transaction confirmation requests or suspicious activity detection messages stating that their account has been deactivated. 

These messages link to phishing sites targeting any of the services mentioned above. Once on the malicious site, the users are connected to customer support, which an attacker operates. Here onwards, victims are guided through a multi-step process, eventually losing their account’s contents. 

In the News: Apple’s analytics anonymity promises turn out to be false, again

A multi-stage scam via TeamViewer

The first step after sending the fake emails requires redirecting victims to a fake website and presenting them with a login form. This form accepts any credentials, right or wrong, and enters them into the actual site, triggering a 2FA code sent to the victim. The fake site then asks for this code and gains access to the victim’s account. 

As mentioned before, phishing sites and attacks are modified to adapt to the site or service they’re targeting. For example, MetaMask phishing attacks ask for recovery phrases instead of login credentials or MFA codes to appear more legitimate. 

Regardless of whether the credentials or MFA code entered on the fake site is real or not, the fake sites launch the next attack step, which is opening a customer chat window in a bid to keep victims around in case the attackers need additional codes, or if the credentials were incorrect. According to the PIXM report, the attackers ask for credentials and MFA codes directly in the chat. 

From this point onwards, the scam can go in one of these directions:

• If the credentials are right, customers are retained and engaged in case confirmation is required from their end to transfer funds. 
• If the credentials are wrong or the scammers can’t breach the account with support chat alone, they switch to an alternative strategy that requires using TeamViewer to authenticate their device as a ‘trusted’ one. 

This method relies on the scammer convincing the victim to download and install TeamViewer. Once they establish remote access, they ask the victims to log into their crypto account or wallet while adding a random character during input to trigger an incorrect password error. 

This allows the attacker to ask for the password over TeamViewer chat and ask for the victim’s password. This can then be used to log into the victim’s account (sans the random character) and steal the device confirmation link required to authenticate the scammer’s device as trusted. 

Victims are again distracted in the customer chat window while the scammers drain their accounts of any funds. Since the wallet or exchange isn’t breached in the attack, they can do nothing to help customers recover the losses once the crypto leaves their account. 

In the News: Encrypted messaging app Wickr Me will shut down in 2023