Researchers identified a new wave of phishing attacks seeking to steal cryptocurrency, with perpetrators trying to bypass multi-factor authentication (MFA) by masquerading as support agents for popular crypto platforms.
The attackers deployed several phishing sites using the Microsoft Azure Web Apps service and tricked victims into accessing them through fake suspicious activity emails or rogue transaction confirmation requests.
Security experts have been tracking the campaign since 2021 when it focused exclusively on Coinbase. However, recent analysis from cybersecurity firm PIXM shows the threat actors have broadened their range to include other popular platforms, such as Crypto.com, KuCoin and MetaMask.
The attack follows a four-step pattern:
- MFA and credential interception and relaying
- Impersonating a customer support agent
- Malicious remote desktop session
- Stealing the funds
After the victim lands on a phishing website associated with the campaign, they’re required to log in to their account. Regardless of the legitimacy of their credentials, the site prompts them with an MFA request. Attackers will then attempt to relay the credentials and MFA code to the legitimate platform while opening a chat window to engage with the user.
The threat actors pose as customer support agents, keeping the victim chatting until the criminals can log in to their accounts, asking their victims for credentials and MFA code if the initial ones fail or expire.
If the above techniques fail, the malicious group asks the victim to allow a remote desktop connection to their device through the popular “TeamViewer” utility. This lets attackers hijack their victims’ desktop sessions, bypass MFA, and log in to their crypto accounts. Finally, after authenticating to the victim’s account, perpetrators drain their wallets.
In the meantime, attackers try to keep the victim engaged in the chat so that they can bypass any unexpected bump in the road, such as additional confirmation emails or text messages.
Some simple tips to avoid falling prey to the malicious campaign above include:
- Thoroughly check the URL; phishing websites often use URLs that are similar to legitimate websites (e.g.,metammask, coinbsae, Crpyto.com)
- Use an anti-phishing phrase on supported platforms
- Note that phishing emails often have an alarmist tone, designed to trick you into panicking and accessing malicious URLs without carefully checking them
- Check whether the sender’s domain matches the organization’s domain
- Instead of clicking on URLs you receive via email, try looking up the website and accessing it manually
- Don’t give out your credentials, MFA codes or wallet’s seed phrase to anyone
- Refrain from giving unknown individuals access to your device via remote desktop software
Dedicated software such as Bitdefender Ultimate Security can keep you safe against phishing attacks and other e-threats, with features like:
- Anti-phishing module that detects and blocks websites that masquerade as legitimate ones to steal your data or funds
- Anti-fraud filtering system that warns you against websites that might try to scam you
- Anti-spam module that filters irrelevant messages in your local email clients’ inboxes (Thunderbird, Microsoft Outlook)
- Web attack prevention system that lets you know if an URL can be accessed safely and blocks known infected links