Cybercriminals are targeting users of cryptocurrency platforms Coinbase, MetaMask, Crypto.com, and KuCoin with a new phishing campaign that aims to steal large sums of money.
PIXM researchers recently uncovered a campaign that uses legitimate web hosting services, in this case Microsoft Azure Web Apps, to host multiple phishing sites and fake landing pages, while attempting to trick users into providing their passwords and other credentials. login.
The method is similar to what we have seen in the past: the victim will receive an email stating that their Coinbase/KuCoin account has been suspended due to suspicious activity, or something of the sort. The email will demand an urgent response from the victim and provide a link where they can get in touch.
Bypass MFA
The link takes the victim to a fake customer support chat window, where the attackers on the other end of the line ask the victim to log in and provide a link to do so. Everything the victim shares at this point ends up in the hands of the attackers, including multi-factor authentication (opens in a new tab) (MFA). While talking to the victim, the attackers will simultaneously try to connect to the real service, rendering MFA useless.
But the attack does not stop there. Even if the attackers manage to log into the victim's account, they will keep the victim online and busy as they drain the account of all cryptocurrencies. Some platforms require additional confirmation when withdrawing, which the attackers were likely looking to address.
Finally, if nothing else works, they will ask the victim to install TeamViewer, or a similar remote desktop access application, and complete the task themselves.
As usual, the researchers warn users not to fall for these scams and to remember that emails from legitimate services will almost never have a sense of urgency.
Via: BleepingComputer (Opens in a new tab)