Cybercriminals are targeting users of cryptocurrency platforms Coinbase, MetaMask, Crypto.com, and KuCoin with a brand new phishing campaign that aims to steal huge amounts of money.
Researchers from PIXM recently discovered a campaign that uses legitimate web hosting services, in this case, Microsoft Azure Web Apps, to host multiple phishing sites and fake landing pages, as they try to trick the victims into giving away their passwords and other login credentials.
The method is similar to what we’ve seen in the past – the victim will receive an email saying their Coinbase/KuCoin account was suspended due to suspicious activity, or something along these lines. The email will demand an urgent response from the victim, and will provide a link where they can get in touch.
Bypassing MFA
The link leads the victim to a fake customer support chat window, where the attackers on the other end of the line instruct the victim to log in, and provide a link to do so. Anything the victim shares at this point ends up in the hands of the attackers, including multi-factor authentication (opens in new tab) (MFA). While talking to the victim, the attackers will simultaneously try to log into the actual service, thus rendering MFA useless.
The attack doesn’t stop there, though. Even if the attackers manage to log into the victim’s account, they’ll still keep them on the line and keep them busy, as they empty the account from any and all cryptocurrency. Some platforms require further confirmation during withdrawal, which is probably what the attackers were looking to solve.
Finally, if nothing else works, they’ll ask the victim to install TeamViewer, or a similar remote desktop access app, and complete the task themselves.
As usual, the researchers are warning users not to fall for these scams and to remember that emails coming from legitimate services will almost never carry a sense of urgency with them.
Via: BleepingComputer (opens in new tab)