Researchers identified a new wave of phishing attacks seeking to steal cryptocurrency, with perpetrators trying to bypass multi-factor authentication (MFA) by masquerading as support agents for popular crypto platforms.
The attackers deployed several phishing sites using the Microsoft Azure Web Apps service and tricked victims into accessing them through fake suspicious activity emails or rogue transaction confirmation requests.
Security experts have been tracking the campaign since 2021 when it focused exclusively on Coinbase. However, recent analysis from cybersecurity firm PIXM shows the threat actors have broadened their range to include other popular platforms, such as Crypto.com, KuCoin and MetaMask.
The attack follows a four-step pattern:
After the victim lands on a phishing website associated with the campaign, they’re required to log in to their account. Regardless of the legitimacy of their credentials, the site prompts them with an MFA request. Attackers will then attempt to relay the credentials and MFA code to the legitimate platform while opening a chat window to engage with the user.
The threat actors pose as customer support agents, keeping the victim chatting until the criminals can log in to their accounts, asking their victims for credentials and MFA code if the initial ones fail or expire.
If the above techniques fail, the malicious group asks the victim to allow a remote desktop connection to their device through the popular “TeamViewer” utility. This lets attackers hijack their victims’ desktop sessions, bypass MFA, and log in to their crypto accounts. Finally, after authenticating to the victim’s account, perpetrators drain their wallets.
In the meantime, attackers try to keep the victim engaged in the chat so that they can bypass any unexpected bump in the road, such as additional confirmation emails or text messages.
Some simple tips to avoid falling prey to the malicious campaign above include:
Dedicated software such as Bitdefender Ultimate Security can keep you safe against phishing attacks and other e-threats, with features like: