I. Targeted Entities
Attackers are bypassing two-factor authentication (2FA) and using other evasion tactics in a campaign that is trying to take over Coinbase accounts to defraud users of their cryptocurrency.
III. Background Information
Researchers at PIXM Software say that the threat actors are using emails that spoof Coinbase to trick users into logging into their accounts so that the attackers can gain access to the accounts and steal funds. The researchers say that the cybercriminals will distribute these stolen funds through a network of “burner” accounts, in an automated way, via hundreds or thousands of transactions. The cybercriminals do this in an effort to shroud the original wallet from their destination wallet.
The attackers employ a range of tactics to avoid detection. One such tactic is what researchers call “short-lived domains.” These domains are only up for extremely short periods of time (less than two hours), which is a deviation from typical phishing practices. Another tactic used is context awareness. Context awareness allows cybercriminals to know either the IP, CIDR Range, or geolocation from which they anticipate their target to be connecting. The attackers can then create something similar to an Access Control List (ACL) on the phishing page to restrict connections to only be allowed from the IP, CIDR Range, or region of their intended target.
The Coinbase attacks begin with criminals targeting users with a malicious email that spoofs Coinbase so that victims think that they are receiving a legitimate message. The email uses a variety of reasons to persuade the user into logging into their account. For example, the account might be locked due to suspicious activity or a transaction needs to be confirmed. Like a typical phishing campaign, if the user is persuaded to follow the link in the phony message, they are taken to a fake login page and they are prompted to enter their credentials. If the user enters their credentials, the cybercriminal receives them in real-time and uses them to log in to the legitimate Coinbase website. Because the attacker logged into the legitimate Coinbase website, the victim is sent a 2FA code from Coinbase. Thinking that they are logging into the legitimate Coinbase website, the victim enters the 2FA code they received. However, like the login credentials, the cybercriminal receives the 2FA code and gains control of the victim’s account.
Once the criminal has access to the account, they divert the victim’s funds to the aforementioned network of accounts in order to evade detection or suspicion. According to researchers, the funds are often embezzled through unregulated and illegal online cryptocurrency services, like cryptocurrency casinos, betting applications, and illegal online marketplaces. At this point, the victim is told that their account is locked or restricted, and is prompted to talk to customer service to rectify their problem. This prompt is the second phase of the attack, where the cybercriminal poses as a Coinbase employee trying to help the victim regain access to their account, but in reality, is stalling so that the fund transfer can be completed before the victim becomes suspicious. Once the transfer is complete, the cybercriminal will abruptly close the session and then shut down the phishing page, leaving the victim without their funds.
IV. MITRE ATT&CK
- T1566 – Phishing
The threat actors will send phishing messages to gain access to a victim’s Coinbase account.
- T1111 – Multi-Factor Authentication Interception
The threat actors target multi-factor authentication mechanisms to gain access to credentials that are used to access Coinbase systems and services.
- Phishing Awareness Training
Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
- Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
- Turn on Endpoint Protection
Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
- Malware Monitoring
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
VI. Indicators of Compromise (IOCs)
This threat advisory has no indicators of compromise, but users should ensure that they are only interacting with legitimate communications from Coinbase and other services.
(1) Montalbano, Elizabeth. “Phishers Swim Around 2FA in Coinbase Account Heists.” Threatpost English Global, August 8, 2022. https://threatpost.com/phishers-2fa-coinbase/180356/.
(2) PIXM Software, ed. “Coinbase Attacks Bypass 2FA.” Pixm Anti-Phishing, August 8, 2022. https://pixmsecurity.com/blog/phish/coinbase-attacks-bypass-2fa/.
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut.