Phishers Spoof 2FA in Coinbase Accounts Stealing
I. Targeted Entities
- Coinbase accounts
II. Introduction
Attackers are bypassing two-factor authentication (2FA) and using other evasion tactics in a campaign that is trying to take over Coinbase accounts to defraud users of their cryptocurrency.
III. Background Information
Researchers at PIXM Software say that the threat actors are using emails that spoof Coinbase to trick users into logging into their accounts so that the attackers can gain access to the accounts and steal funds.[2] The researchers say that the cybercriminals will distribute these stolen funds through a network of “burner” accounts, in an automated way, via hundreds or thousands of transactions. The cybercriminals do this in an effort to shroud the original wallet from their destination wallet.[2]
The attackers employ a range of tactics to avoid detection. One such tactic is what researchers call “short-lived domains.” These domains are only up for extremely short periods of time (less than two hours), which is a deviation from typical phishing practices.[1] Another tactic used is context awareness. Context awareness allows cybercriminals to know either the IP, CIDR Range, or geolocation from which they anticipate their target to be connecting. The attackers can then create something similar to an Access Control List (ACL) on the phishing page to restrict connections to only be allowed from the IP, CIDR Range, or region of their intended target.[1]
The Coinbase attacks begin with criminals targeting users with a malicious email that spoofs Coinbase so that victims think that they are receiving a legitimate message. The email uses a variety of reasons to persuade the user into logging into their account. For example, the account might be locked due to suspicious activity or a transaction needs to be confirmed. Like a typical phishing campaign, if the user is persuaded to follow the link in the phony message, they are taken to a fake login page and they are prompted to enter their credentials. If the user enters their credentials, the cybercriminal receives them in real-time and uses them to log in to the legitimate Coinbase website. Because the attacker logged into the legitimate Coinbase website, the victim is sent a 2FA code from Coinbase. Thinking that they are logging into the legitimate Coinbase website, the victim enters the 2FA code they received. However, like the login credentials, the cybercriminal receives the 2FA code and gains control of the victim’s account.[1]
Once the criminal has access to the account, they divert the victim’s funds to the aforementioned network of accounts in order to evade detection or suspicion. According to researchers, the funds are often embezzled through unregulated and illegal online cryptocurrency services, like cryptocurrency casinos, betting applications, and illegal online marketplaces.[1] At this point, the victim is told that their account is locked or restricted, and is prompted to talk to customer service to rectify their problem. This prompt is the second phase of the attack, where the cybercriminal poses as a Coinbase employee trying to help the victim regain access to their account, but in reality, is stalling so that the fund transfer can be completed before the victim becomes suspicious. Once the transfer is complete, the cybercriminal will abruptly close the session and then shut down the phishing page, leaving the victim without their funds.[1]
IV. MITRE ATT&CK
- T1566 – Phishing
The threat actors will send phishing messages to gain access to a victim’s Coinbase account.
- T1111 – Multi-Factor Authentication Interception
The threat actors target multi-factor authentication mechanisms to gain access to credentials that are used to access Coinbase systems and services.
V. Recommendations
- Phishing Awareness Training
Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014 - Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures. - Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a - Turn on Endpoint Protection
Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using. - Malware Monitoring
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
VI. Indicators of Compromise (IOCs)
This threat advisory has no indicators of compromise, but users should ensure that they are only interacting with legitimate communications from Coinbase and other services.
VII. References
(1) Montalbano, Elizabeth. “Phishers Swim Around 2FA in Coinbase Account Heists.” Threatpost English Global, August 8, 2022. https://threatpost.com/phishers-2fa-coinbase/180356/.
(2) PIXM Software, ed. “Coinbase Attacks Bypass 2FA.” Pixm Anti-Phishing, August 8, 2022. https://pixmsecurity.com/blog/phish/coinbase-attacks-bypass-2fa/.
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut.
Student Loan Forgiveness Scams Are On The Rise
There’s no question that student loan debt is a major problem for many people in the U.S. In fact, researchers estimate that there are currently more than 44 million Americans with student loan debt, and the average U.S. household that has student loan debt owes just over $57,000. With so much debt, it’s no wonder that there are people out there who are looking for ways to get rid of it. And that’s where student loan forgiveness scams come in.
There are a lot of companies and individuals out there who claim they can help you get your student loans forgiven. But the truth is, most of these offers are too good to be true. And if you’re not careful, you could end up getting scammed.
Recognizing a Federal Student Loan Forgiveness Scam
There are a few different types of student loan forgiveness scams out there. Here are three of the most common:
The company promises loan forgiveness for a fee. This is probably the most common type of scam. But the truth is, you don’t need to pay anyone to get your loans forgiven. The government has a number of programs that can help you get rid of your debt, and you can apply for them for free.
The company promises to lower your monthly payments. This is something you can do for free. There are a number of government programs that can help you lower your payments, and you don’t need to pay anyone to access them.
The company promises to consolidate your loans. This can be a good thing or a bad thing, depending on the interest rate you’re currently paying. If you’re consolidating your loans at a lower interest rate, it can save you money. But if you’re consolidating your loans at a higher interest rate, it could end up costing you more in the long run.
If you’re considering student loan forgiveness watch out for:
- Guarantees: Be wary of any company or individual that promises to guarantee your student loan forgiveness. The truth is, there’s no such thing as guaranteed student loan forgiveness. So if someone tells you they can guarantee it, they’re probably lying.
- Upfront Fees: You should never have to pay any upfront fees for student loan repayment assistance. If someone asks you to pay an upfront fee, it’s a good sign that they’re a scammer.
- High Pressure Sales Tactics: Be wary of anyone who’s pressuring you to sign up for their program or make a decision right away. If someone is trying to rush you, it’s likely because they’re not legitimate.
- Promises of Quick Forgiveness: Be careful of anyone who promises quick and easy student loan forgiveness. The truth is, the process can take years. So if someone tells you they can get your loans forgiven quickly, they’re probably not being honest.
- Outrageous Claims: Be skeptical of anyone who makes outrageous claims about student loan forgiveness. For example, if someone tells you that you can have your loans forgiven in a matter of weeks, it’s probably too good to be true.
Immediate Action Steps
If you think you may have been a victim of a student loan forgiveness scam, it is important to take action right away to protect yourself and your finances. Here are some steps to take if you are scammed:
- Contact the three major credit agencies: Equifax, Experian and Transunion. Although loan scammers mostly focus on the fees, your personal information is in danger. Consider placing a freeze or fraud alert on your credit report. This will prohibit the scammer from opening new accounts in your name.
- Call your bank or credit card company right away if you paid a fee using your debit or credit card. By immediately reporting the transaction as fraudulent, you might be able to prevent paying the fee. They can also help you change any compromised accounts.
- Get in touch with your official loan servicer. They will be able to help guide you to secure your account and can help you with repayment.
- Update your FSA ID password right away if you gave the scam company your FSA ID.
Reporting the Scams
Reporting student loan forgiveness scams is crucial to helping others avoid being scammed. As a society, the more people that report online scams and fraud, the more national reporting data that is collected, and the better chance law enforcement has to catch the criminals and decrease cybercrime.
Whether you provided financial or personal information to scammers or not, report the incident to the following authorities:
- The Internet Crime Complaint Center: The IC3 will review your report and refer it to the appropriate federal, state, local and international agencies if necessary.
- Consumer Finance Protection Bureau: While the CFPB might now be able to help with specific case, they will use your complaint to shut down fraudulent companies.
- Your State Attorney General: Many State Attorney Generals take student loan forgiveness scams very seriously.
Find Legitimate Help for Student Loan Forgiveness
There are a number of government programs that help with loan forgiveness. And you can access these programs for free. So there’s no need to pay anyone for help. The U.S. Department of Education (ED) offers free and legitimate student loan forgiveness programs. Contact your official loan servicer to find out if you qualify.
If you’re considering student loan forgiveness, make sure you do your research and be careful of scams. There are a lot of companies and individuals out there who will try to take advantage of you. But if you’re aware of the signs of a scam, you can protect yourself.
To learn more about other scams affecting students, visit our education/scholarship scams page.
Article retrieved from Fight Cybercrime. View the original article: https://fightcybercrime.org/blog/student-loan-forgiveness-scams-are-on-the-rise/
Phishing Attacks Increase as Facebook and Microsoft are Most Abused
I. Targeted Entities
- Microsoft, Facebook, and other large tech brands
II. Introduction
Phishing attacks exploiting the Microsoft and Facebook brands, among others, have increased between 2021 and 2022.
III. Background Information
According to researchers at Vade, Microsoft, Facebook, and the French bank Crédit Agricole are the top abused brands.[1] The report also says that phishing attacks exploiting the Microsoft brand increased 266% in the first quarter of 2022 compared to 2021. Phony Facebook messages are up 177% in the second quarter of 2022, also compared to 2021.[1]
The research done by Vade analyzed unique instances of phishing URLs used by threat actors carrying out phishing attacks and not the number of phishing emails associated with the URLs. Their report listed the 25 most commonly phished companies, along with the most targeted industries and days of the week for phishing emails.[1] Other brands at the top of the list include Crédit Agricole, WhatsApp, and French telecommunications company Orange. PayPal, Google, and Apple also made the list.[1]
The report by Vade found that through the first half of 2022, 34% of all unique phishing attacks, that were tracked by the researchers at Vade, impersonated financial services brands. The next most popular sector was cloud service providers, with Microsoft, Google, and Adobe being prime targets. The social media sector was also popular with Facebook, WhatsApp, and Instagram at the top of the list of brands exploited in the attacks.[1] The researchers also found that the most popular days for sending phishing emails were Monday through Wednesday. The weekend did not see a lot of phishing emails sent with only 20% of the phishing emails being sent during the weekend.[1]
IV. MITRE ATT&CK
- T1566 – Phishing
Adversaries will send phishing messages to gain access to a victim’s machine. These phishing attempts may come via link or attachment, and typically execute malicious code on victim machines.
V. Recommendations
- Phishing Awareness Training
Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014 - Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures. - Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a - Turn on Endpoint Protection
Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using. - Malware Monitoring
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
VI. Indicators of Compromise (IOCs)
This threat advisory has no indicators of compromise, but it is recommended that readers be aware of the links and attachments that they are sent to ensure their safety.
VII. References
(1) Nelson, Nate. “Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands.” Threatpost English Global, July 26, 2022. https://threatpost.com/popular-bait-in-phishing-attacks/180281/.
(2) Petitto, Natalie. “Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks.” Vade, July 26, 2022. https://www.vadesecure.com/en/blog/phishers-favorites-top-25-h1-2022.
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, and Tural Hagverdiyev