Recent phishing attacks against Coinbase and its customers show how not only are these campaigns becoming more sophisticated and multifaceted, Threats to cryptocurrency sites According to research and analysis from security firm PIXM, it’s growing rapidly.
“Ever since I became famous, [Coinbase] Due in part to the fact that its user base is so large and mainstream, it is increasingly targeted by scammers, scammers and cybercriminals,” said the PIXM blog posted on August 4. . A casual, generally non-technical cryptocurrency investor. Coinbase is “arguably the most mainstream cryptocurrency exchange in use in the world,” with more than 89 million users added to its platform since it began operations ten years before him in 2012. it was done.
in their “multilayer” phishing attack On Coinbase, cybercriminals sent spoofed emails masquerading as cryptocurrency companies to steal and resell financial and personal data, and logged into users’ legitimate accounts to steal funds in real time. According to PIXM’s analysis, the attack combined email and brand impersonation to steal from Coinbase wallet holders despite using multi-factor authentication (MFA).
According to Chris Cleveland, founder and CEO of PIXM, the complex and sophisticated campaign involved “amazing tactics to steal more than just passwords.”
“After stealing a user’s Coinbase password, the phishing site used a built-in two-factor relay system to enter the user’s password into the real password. Open the Coinbase site and also request a real two-factor authentication code from the user, [which] Hackers bypassed two-factor authentication and allowed access to users’ Coinbase wallets. ”
Malicious actors typically sent Coinbase customers notifications that their accounts were “locked” or that their transactions needed confirmation, or that they “required attention due to urgent matters.” According to PIXM’s blog, “The user was asked to enter her login credentials and her two-factor authentication code into a fake her website.” the attacker immediately[ed] Access to the user’s legitimate session on the Coinbase website. ”
“The email prompts the user to log in for a variety of reasons, each with a sense of urgency. Either confirming a transaction or the user’s account is ‘locked’ due to suspicious activity.” The PIXM blog continued. “The use of these scenarios by attackers is designed to distract users from analyzing email details. [such as] If the sender is legitimate or if the login link is legitimate. ”
Roger Grimes, Data-Driven Defense Evangelist KnowBe4, Noting that it is becoming increasingly common for attackers to use ephemeral domains, usually customized to potential victims, it “complicates the task of integrity checkers and blocklists. I have.”
“By the time the various defending software companies tried to check it out, the site was gone and had been gone for hours,” he added.
Additionally, after stealing a user’s password and verification code, the phishing site leads to an “account suspension” page with a support chat box asking for additional personal information to recover the account, Cleveland noted.
“By impersonating Coinbase customer support, hackers continue to steal a variety of additional personal information, including phone numbers, addresses, emails, and estimated account balances,” Cleveland added. “This allowed them to bypass additional account verifications and keep victims involved and distracted while exfiltrating funds.”
As Adoption of cryptocurrencies attacks on these sites have increased as well. Global crypto adoption 880% last yearaccording to Cleveland, the global use of Bitcoin alone will Reach 10% by 2030This makes unsuspecting crypto investors using online exchanges a huge growth opportunity and an ideal phishing target in the years to come.
According to PIXM, which has been tracking these attacks since last year, “Cryptocurrency exchanges have been targeted by sophisticated attackers from the beginning. It is targeting crypto exchange user bases, evolving and using increasingly sophisticated techniques to compromise crypto exchange user accounts and drain their wallets.”