Novel crypto-stealing phishing operation exploits TeamViewer

BleepingComputer reports that threat actors have leveraged TeamViewer and fake support chats in a new cryptocurrency stealing phishing campaign that evades multi-factor authentication to compromise Coinbase, Crypto.com, MetaMask, and KuCoin accounts. Attackers have been sending phishing messages masquerading as transaction confirmation requests or suspicious activity detection that contain links redirecting to phishing sites hosted through the exploitation of the Microsoft Azure Web Apps service, according to a PIXM report. Visiting the phishing site would prompt the appearance of a chat window purporting to be customer support, which facilitates the defrauding process. The report showed that fraudulent login forms and a two-factor authentication prompt have been included in the bogus phishing sites. Inputed credentials are then used by attackers to access the legitimate site, triggering the delivery of a valid 2FA code that they could later acquire after the victim inputs it on the phishing site. Meanwhile, succeeding conversations in the fake support chat are being used by attackers to obtain different credentials, 2FA codes, and recovery phrases that may be needed for account access. Victims are then lured to download the TeamViewer remote access app to evade authenticated device troubles, said PIXM.