phishing campaign targets coinbase wallet holders
Damien Black , Senior Journalist Updated on: 04 August 2022
phishing campaign targets coinbase wallet holders

Image by Shutterstock

As the crypto world continues to sustain a barrage of hacking attacks, social engineering scammers have been using subtler methods to get their hands on digital currency.

The phishing campaign detected by threat analyst PIXM bypasses the two-factor authentication used to safeguard wallet holders, hoodwinking them into giving up their cybersecurity credentials with a fake email sent by cyber con artists.

“The attacks we’ve observed start with the delivery of a spoofed email, resembling Coinbase,” said PIXM. “The email prompts the user to log in for a variety of reasons, each with a sense of urgency. It is either to confirm a transaction, or that the user’s account has been ‘locked’ due to suspicious activity.”

phishing campaign targets coinbase wallet holders

Image shared by the Coinbase Blog, sampling the opening salvo from cyber con artists pretending to be agents from the digital currency platform.

Of course, this urgency is aimed at pressuring the victim into acting hastily instead of checking the bogus email more thoroughly to spot the ruse, handing over their credentials including two-factor authentication tokens.

Those who resist the social engineering tactic are better placed to pick up on the telltale signs of a con, for instance in the email address used by the sender.

“If you receive an email from Coinbase, it will always have “coinbase.com” in the sender’s address,” said PIXM, adding that the authentic provider uses either [email protected] or [email protected] in all of its correspondence.

Agile and stealthy

PIXM observed that the attackers behind this campaign operate in a swift, agile manner, against what it believes are carefully selected targets, taking down bogus domains shortly after using them to lure victims.

“The domains employed in the attacks we’ve observed don’t appear to be in use for more than a few hours each,” said PIXM. “The domains are spun up – typically with local host website deployment tools – used in a targeted phishing attempt, and then taken down.”

It added: “This indicates the domains are used in relatively targeted attacks. Based on the domain deployment lifecycle, it is likely that the Coinbase phishing pages are deployed to a live URL, phishing emails targeting specific account holders are sent, the threat actor waits for credentials and two-factor authentication tokens to be entered, and then the site is taken down.”

This quick takedown means the attacks are much harder to track, because it makes archive material of the phishing pages hard for cybersecurity analysts to come by.

“The short-lived nature of these phishing pages makes archival of the contents rare, as these sites are taken down long before they are indexed by search engines,” said PIXM. “This introduces challenges with performing forensics on the landing pages as well, as they are removed typically well before they are reported to vendors as malicious.”

Another obfuscation tactic spotted by PIXM involves what it called “browser or IP context awareness,” which allows the threat actors to anticipate the web location their targets are connecting from. They then created an access control list on the phishing page “to restrict connections to only be allowed from the IP, range, or region of their intended target.”

“This is another technique to obfuscate forensics of the phishing pages,” said PIXM. “Even if one of these pages was detected or reported within the few-hour window that the site is live, a researcher would need to spoof the restrictions placed on the page to be able to access the site.”

Follow-up attack

The attackers are far from done after stealing Coinbase users’ account credentials, PIXM warns. Following up on their initial success, they will then use spoofed chats to cajole panicking account holders into giving up even more vital data that can be turned against them.

“For good measure, after successfully harvesting their target’s login information and two-factor pin, the attacker will now collect more information from them manually,” said PIXM. “The phishing pages will display a message that you are locked out, and need to resolve it with Customer Support.”

phishing campaign targets coinbase wallet holders

Fake chat shared by PIXM in which scammers pose as Coinbase customer support to extract more data from the victim.

A chat box then appears in the corner of the victim’s device screen, enticing them to engage with an impostor posing as a Coinbase customer service official and give up “additional personal information related to your account, including phone number, address, email, and estimated account balance.”

PIXM added: “This will help [the crooks] should they have difficulty accessing the target’s account on their system. This also enabled the attacker to be live chatting with the victim to keep them engaged and distracted while draining their funds.”

Victim of own success

Coinbase is a publicly traded exchange platform for digital currencies such as bitcoin and ether that PIXM says has garnered nearly 90 million users since being set up in 2012 and is “arguably the most mainstream cryptocurrency exchange used globally.”

But that success has come at a price, and since its inception Coinbase has “been increasingly targeted by scammers, fraudsters, and cybercriminals.” PIXM believes this is partly because of Coinbase’s mainstream user base, which “is assumed to cover an audience of casual, generally non-technical, crypto investors.”

The cybersecurity analyst is warning Coinbase account holders not to click directly on any links sent to their email inboxes, no matter how authentic they might look.

“If you are prompted to authenticate, open a new browser tab or window, manually navigate to coinbase.com, and access your account through their standard login portal,” it said.

TECH NEWS RELATED

Two terabytes of data released as hackers strive to expose companies' environmental damage

Anna Zhadan , Editor Updated on: 04 August 2022 The hacking collective Guacamaya hacked and released over two terabytes of data from five mining companies and two public agencies in Central and South America to expose the negative environmental developments in the area. A collection of files and emails was ...

View more: Two terabytes of data released as hackers strive to expose companies' environmental damage

China implicated in global digital spin campaign

Damien Black , Senior Journalist Updated on: 04 August 2022 Image by Shutterstock A Chinese public relations company has been linked by digital intelligence firm Mandiant to what it says could be a covert disinformation campaign being conducted on dozens of its news websites. Although distinct from the Dragonbridge information ...

View more: China implicated in global digital spin campaign

Robot to showcase its surgery skills on ISS

Justinas Vainilavičius , Senior Journalist Updated on: 04 August 2022 Craig Chandler/University Communication A surgery-performing robot developed by the University of Nebraska-Lincoln will blast into space to perform tests on the International Space Station in 2024 as NASA continues to ramp up its efforts in preparation for deep space travel. ...

View more: Robot to showcase its surgery skills on ISS

Crypto spring will return: don’t panic sell

Neil C. Hughes Updated on: 04 August 2022 Many panic sellers have lost a lot of money, and everyone else will be looking at a deflated portfolio, wondering how long crypto winter will last. The global market cap has dived from $3 trillion to its current valuation of around ...

View more: Crypto spring will return: don’t panic sell

How long will crypto winter last?

Neil C. Hughes Updated on: 04 August 2022 Many panic sellers have lost a lot of money, and everyone else will be looking at a deflated portfolio, wondering how long crypto winter will last. The global market cap has dived from $3 trillion to its current valuation of around ...

View more: How long will crypto winter last?

Criminals “solved” bot defense leading to an uptick in stolen accounts

Jurgita Lapienytė , Deputy Chief Editor Updated on: 04 August 2022 Image by Shutterstock There’s been an uptick in stolen accounts as criminals increasingly rely on a tool that bypasses most bot management systems. Threat actors found a way to “solve” a bot detection system’s defense and are now selling ...

View more: Criminals “solved” bot defense leading to an uptick in stolen accounts

Cisco patches critical remote code execution bugs in VPN routers

Vilius Petkauskas Updated on: 04 August 2022 Image by Shutterstock. Cisco released patches to mitigate vulnerabilities, some of which would allow remote code execution (RCE) attacks or cause a denial of service (DoS) in a device. US tech giant Cisco released patches for critical vulnerabilities affecting its Small Business ...

View more: Cisco patches critical remote code execution bugs in VPN routers

Ditch hot wallets, experts tell crypto holders after Solana hack

Damien Black Updated on: 04 August 2022 Image by Shutterstock Crypto experts have reacted with dismay to the recent hack of Solana that robbed users of some $8 million, with many calling for investors to swap convenience for security and trade the more easily hackable hot wallets for cold ...

View more: Ditch hot wallets, experts tell crypto holders after Solana hack

Crypto scammers posing as Elon Musk briefly hack Imran Khan’s Instagram account

US and China have most hijacked machines, says report

Nightmare cyberattack is comparable to a natural disaster – interview

UK to invest £6m in quantum computing

What your company needs to understand about digital privacy (but probably doesn't)

New cybersecurity tool simplifies site evaluations

Reddit awards hero hacker $10k bounty

Nomad knew of a flaw resulting in a $190m heist two months beforehand - report

Samsung launches self-repair program

Taiwan's presidential website hit by a cyberattack shortly before Pelosi's visit

The internet's autoimmune problem: how ethical hackers face prosecution to this day

League of Legends players targeted with file-locking malware

OTHER TECH NEWS

Top Car News Car News