Phishing campaign targets Coinbase wallet holders


As the crypto world continues to sustain a barrage of hacking attacks, social engineering scammers have been using subtler methods to get their hands on digital currency.

The phishing campaign detected by threat analyst PIXM bypasses the two-factor authentication used to safeguard wallet holders, hoodwinking them into giving up their cybersecurity credentials with a fake email sent by cyber con artists.

ADVERTISEMENT

“The attacks we’ve observed start with the delivery of a spoofed email, resembling Coinbase,” said PIXM. “The email prompts the user to log in for a variety of reasons, each with a sense of urgency. It is either to confirm a transaction, or that the user's account has been ‘locked’ due to suspicious activity.”

Screenshot of phishing email 'alert' sent to account holders
Image shared by the Coinbase Blog, sampling the opening salvo from cyber con artists pretending to be agents from the digital currency platform.

Of course, this urgency is aimed at pressuring the victim into acting hastily instead of checking the bogus email more thoroughly to spot the ruse, handing over their credentials including two-factor authentication tokens.

Those who resist the social engineering tactic are better placed to pick up on the telltale signs of a con, for instance in the email address used by the sender.

“If you receive an email from Coinbase, it will always have “coinbase.com” in the sender's address,” said PIXM, adding that the authentic provider uses either [email protected] or [email protected] in all of its correspondence.

Agile and stealthy

PIXM observed that the attackers behind this campaign operate in a swift, agile manner, against what it believes are carefully selected targets, taking down bogus domains shortly after using them to lure victims.

“The domains employed in the attacks we’ve observed don't appear to be in use for more than a few hours each,” said PIXM. “The domains are spun up – typically with local host website deployment tools – used in a targeted phishing attempt, and then taken down.”

ADVERTISEMENT

It added: “This indicates the domains are used in relatively targeted attacks. Based on the domain deployment lifecycle, it is likely that the Coinbase phishing pages are deployed to a live URL, phishing emails targeting specific account holders are sent, the threat actor waits for credentials and two-factor authentication tokens to be entered, and then the site is taken down.”

This quick takedown means the attacks are much harder to track, because it makes archive material of the phishing pages hard for cybersecurity analysts to come by.

“The short-lived nature of these phishing pages makes archival of the contents rare, as these sites are taken down long before they are indexed by search engines,” said PIXM. “This introduces challenges with performing forensics on the landing pages as well, as they are removed typically well before they are reported to vendors as malicious.”

Another obfuscation tactic spotted by PIXM involves what it called “browser or IP context awareness,” which allows the threat actors to anticipate the web location their targets are connecting from. They then created an access control list on the phishing page “to restrict connections to only be allowed from the IP, range, or region of their intended target.”

“This is another technique to obfuscate forensics of the phishing pages,” said PIXM. “Even if one of these pages was detected or reported within the few-hour window that the site is live, a researcher would need to spoof the restrictions placed on the page to be able to access the site.”

Follow-up attack

The attackers are far from done after stealing Coinbase users’ account credentials, PIXM warns. Following up on their initial success, they will then use spoofed chats to cajole panicking account holders into giving up even more vital data that can be turned against them.

“For good measure, after successfully harvesting their target's login information and two-factor pin, the attacker will now collect more information from them manually,” said PIXM. “The phishing pages will display a message that you are locked out, and need to resolve it with Customer Support.”

Cyber crook posing as customer service online via chat
Fake chat shared by PIXM in which scammers pose as Coinbase customer support to extract more data from the victim.

A chat box then appears in the corner of the victim’s device screen, enticing them to engage with an impostor posing as a Coinbase customer service official and give up “additional personal information related to your account, including phone number, address, email, and estimated account balance.”

ADVERTISEMENT

PIXM added: “This will help [the crooks] should they have difficulty accessing the target’s account on their system. This also enabled the attacker to be live chatting with the victim to keep them engaged and distracted while draining their funds.”

Victim of own success

Coinbase is a publicly traded exchange platform for digital currencies such as bitcoin and ether that PIXM says has garnered nearly 90 million users since being set up in 2012 and is “arguably the most mainstream cryptocurrency exchange used globally.”

But that success has come at a price, and since its inception Coinbase has “been increasingly targeted by scammers, fraudsters, and cybercriminals.” PIXM believes this is partly because of Coinbase’s mainstream user base, which “is assumed to cover an audience of casual, generally non-technical, crypto investors.”

The cybersecurity analyst is warning Coinbase account holders not to click directly on any links sent to their email inboxes, no matter how authentic they might look.

“If you are prompted to authenticate, open a new browser tab or window, manually navigate to coinbase.com, and access your account through their standard login portal,” it said.