A crypto-stealing phishing campaign is underway to bypass multi-factor authentication and gain access to Coinbase, MetaMask, Crypto.com, and KuCoin accounts to steal cryptocurrencies.
Threat actors abuse the Microsoft Azure Web Apps service to host a network of phishing sites to lure victims in via phishing messages masquerading as bogus transaction confirmation requests or suspicious activity detections.
For example, one of the phishing emails we saw in the attack pretended to be from Coinbase and said they locked their account due to suspicious activity.
When a target visits a phishing site, it displays a chat window that appears to be for “customer support.” This window is controlled by fraudsters who guide visitors through a multi-step fraud process.
PIXM has been tracking this campaign since 2021 by the threat group. Only for CoinbaseRecently, PIXM analysts have noticed that the campaign’s targeting scope has been expanded to include MetaMask, Crypto.com, and KuCoin.
The first stage of an attack on a fake crypto exchange phishing site involves a fake login form followed by a two-factor authentication prompt.
Credentials are stolen by the threat actor regardless of what credentials are entered at this stage. The page then proceeds to a prompt asking for her 2FA code, which is required to access the account.
The attacker tries the entered credentials on a legitimate website and sends the 2FA code to the victim. The victim enters his valid 2FA into the phishing site.
The attacker then attempts to log into the victim’s account using the entered 2FA code as long as they act before the timer expires.
Note that MetaMask phishing attacks target recovery phrases, not credentials or 2FA codes.
chat with scammers
Researchers say that regardless of whether the 2FA code works or not, the scammers will trigger the next stage of their attack: activating on-screen chat support.
It does this by displaying a fake error message stating that the account has been suspended due to suspicious activity and asking the visitor to contact support to resolve the issue.
In this support chat, the attacker initiates a conversation with the targeted victim in case the attacker needs another credential, recovery phrase, or 2FA code to log into their account.
“Prompt users to enter usernames, passwords, and two-factor authentication codes directly in chat,” says the new PIXM Report.
“Criminals can then bring this directly into their machine’s browser and attempt to access the user account again.”
Even if the account is successfully compromised, the victim is still engaged with customer support in case the scammer needs to confirm the transfer while the wallet is being emptied.
However, for accounts that cannot be compromised in support chat, the attackers switch to another method, where the device is authenticated as “trusted” to the cryptocurrency platform.
To overcome the authenticated device failure, the attacker tricks the victim into downloading and installing the “TeamViewer” remote access app.
The scammers then ask the victim to log into their cryptocurrency wallet or exchange account. During that time, the attacker will add random characters to the password field and cause the login to fail.
The attacker then asks the victim to paste the password into the TeamViewer chat, uses the password (minus the random characters) to log into the device, and uses the device verification link sent to the victim. Get it to authenticate your device as trusted.
After gaining access to accounts and wallets, the attackers exfiltrate all funds, while victims continue to participate in support chats.
To avoid falling for such attacks, it is essential to keep an eye on the sender’s email address and the URLs being sent.
If these URLs do not match your virtual currency platform, you should immediately treat the email as suspicious and delete it.
Unfortunately, if you fall for one of these scams, cryptocurrency exchanges cannot recover funds sent from your wallet.