Threat actors are making their way around two-factor authentication (2FA) and using other clever evasion tactics in a recently observed phishing campaign aimed at taking over Coinbase accounts to defraud users of their crypto balances.
Attackers are using emails that spoofed the popular cryptocurrency exchange to trick users into logging into their accounts so they could gain access to them and steal victim funds, researchers from PIXM Software have found.
“They will typically distribute these funds through a network of ‘burner’ accounts in an automated fashion via hundreds or thousands of transactions, in an effort to obfuscate the original wallet from their destination wallet,” the PIXM Threat Research Team explained in a blog post published Thursday. Coinbase is a publicly traded cryptocurrency exchange platform that’s been around since 2012. It’s arguably one of the most mainstream crypto exchanges, with more than 89 million users, and thus an attractive target for cybercriminals.
Clever Evasion Tactics
Attackers employ a range of tactics to avoid detection, including one researchers call “short lived domains”—in which the domains used in the attack “stay alive for extremely short periods of time”–that deviates from typical phishing practices, researchers wrote.
“Our estimates place a majority of the pages at being available on the internet for less than two hours,” which in some cases did not even allow PIXM researchers to perform desired forensics once they were alerted to an attack.
This, among other techniques like context awareness and 2-factor relay, allow attackers “to keep prying eyes from digging into their phishing infrastructure,” researchers noted.
Context awareness in particular is a stealthy tactic because, like short-lived domains, it makes it difficult for security researchers to follow-up after the fact by obfuscating phishing pages, according to PIXM.
This tactic allows adversaries to know either the IP, CIDR Range, or Geo-Location from which they anticipate their target or targets to be connecting. They can then create something like an Access Control List (ACL) on the phishing page to restrict connections to only be allowed from the IP, range, or region of their intended target, researchers said.
“Even if one of these pages was detected or reported within the few-hour window that the site is live, a researcher would need to spoof the restrictions placed on the page to be able to access the site,” researchers wrote.
Phishing for Account Takeover
The attacks begin with actors targeting Coinbase users with a malicious email that spoofs the currency exchange so potential victims think it’s a legitimate message.
The email uses a variety of reasons to urge the user to log into his or her account, claiming it’s either been locked due to suspicious activity or a transaction needs to be confirmed, researchers said.
As is typical with phishing campaigns, if users follow the message directive, they arrive at a fake login page and are prompted to enter their credentials. If that happens, the attacker receives the credentials in real time, and uses them to log in to the legitimate Coinbase website.
This is when threat actors employ 2-factor relay in the attack structure to get around the MFA built into the Coinbase platform, researchers said.
The attacker’s action prompts Coinbase to send a 2FA code to the victim, who thinks that the notification was prompted by entering credentials into the fake log-in page. Once the user enters the 2FA code into the fake website, the attacker immediately receives it and logs into the legitimate account, thus gaining account control.
Diverting Funds to Threat Actors
Once the threat actor has access to the account, he or she proceeds to divert the user’s funds to the aforementioned network of accounts via a multitude of transactions in an effort to evade detection or raise suspicious.
“These funds are also often embezzled through unregulated illicit online crypto services, like cryptocurrency casinos, betting applications, and illegal online marketplaces,” researchers added.
Meanwhile, at this point the unwitting victim will see a message informing them that his or her account has been locked or restricted–not unlike the initial phishing email that prompted the entire malicious transaction. They are prompted to chat with customer service to resolve the problem, and a chat box appears on the right hand corner of the page for them to do this.
This prompt is actually the second phase of the attack, in which the threat actor impersonates a Coinbase employee helping the person recover his or her account, asking for various personal and account information. However, really, attackers are buying time so they can complete the fund transfer before the victim becomes suspicious, researchers said.
“They are using this chat session to keep the target occupied and distracted (from potential emails or texts they may be receiving from Coinbase when the transfers are initiated) while they transfer their funds,” they wrote.
Once the funds transfer is complete, the attacker will close the chat session abruptly and shut down the phishing page, leaving the Coinbase user confused and soon to realize he or she has been completely defrauded, they said.