Cybercriminals target users of cryptocurrency platforms Coinbase, MetaMask, Crypto.com and KuCoin with a brand new phishing campaign designed to steal huge amounts of money.
PIXM researchers recently discovered a campaign that uses legitimate hosting services, in this case Microsoft Azure Web Apps, to host multiple phishing sites and fake landing pages as they try to trick victims into entering their passwords and other login details.
The method is similar to what we have seen in the past – the victim will receive an email stating that their Coinbase/KuCoin account has been suspended due to suspicious activity or something similar. The email will require the victim to respond urgently and include a link to contact them.
Bypassing MFA
The link takes the victim to a fake customer service chat box where the attackers on the other end of the line instruct the victim to log in and provide a link to do so. Everything the victim shares at this point ends up in the hands of the attackers, including multi-factor authentication (opens in a new tab) (MFA). While talking to the victim, the attackers will simultaneously attempt to log into the correct service, rendering the MFA useless.
However, the attack does not end there. Even if the attackers manage to log into the victim’s account, they will still keep her on the line and occupied as they will empty the account of any cryptocurrency. Some platforms require additional confirmation when withdrawing, which the attackers probably wanted to solve.
Finally, if nothing else works, they will ask the victim to install TeamViewer or a similar remote desktop application and perform the task themselves.
As usual, researchers warn users not to fall for these scams and remember that emails from legitimate services will almost never feel urgency.
By: Beeping Computer (opens in a new tab)