Recent phishing attacks on Coinbase and its customers revealed how these campaigns are not only becoming more sophisticated and multi-faceted, but how threats to cryptocurrency sites are on the rapid rise, according to research and analysis from security firm PIXM.
"Since its rise to prominence, [Coinbase] has been increasingly targeted by scammers, fraudsters, and cyber criminals, due in part to the fact that its user-base is so large and mainstream,” said the PIXM blog posted earlier Aug. 4, “it is assumed to cover an audience of casual, generally non-technical, crypto investors.” Coinbase is “arguably the most mainstream cryptocurrency exchange used globally,” having added more than 89 million users to its platform since it began business a decade ago in 2012.
In their “multi-layered” phishing attacks on Coinbase, cybercriminals sent out spoofed emails purporting to come from the cryptocurrency company in order to steal financial and personal data to resell and log into users’ legitimate accounts to steal their funds in real-time. The attacks combined email and brand impersonations to steal from Coinbase wallet-holders, despite their use of multi-factor authentication (MFA), according to PIXM’s analysis.
According to Chris Cleveland, founder and CEO of PIXM, this complex and sophisticated campaign involved “surprising tactics to steal much more than just passwords.”
“After stealing a user’s Coinbase password, the phishing sites used a built in two-factor relay system to enter the user's password into the real Coinbase site and then further solicit the actual two-factor authentication code from the user, [which] allowed the hacker to bypass two-factor authentication and access a user’s Coinbase wallet.”
Bad actors typically sent Coinbase customers a notification that their account “needed attention due to an urgent matter,” such as being "locked" or requiring a transaction confirmation. “Users were prompted to enter login credentials and a two-factor authentication code into the fake website," according to PIXM’s blog. “With the newly obtained personal information, the attacker immediately gain[ed] access into users’ legitimate sessions on the Coinbase website.’”
“The email prompts the user to log in for a variety of reasons, each with a sense of urgency. It is either to confirm a transaction, or that the user’s account has been ‘locked’ due to suspicious activity,” the PIXM blog continued. “The use of these scenarios by the attacker are designed to distract the user from analyzing the specifics of the email, [such as] if the sender is legitimate or if the login link is legitimate.”
Roger Grimes, data-driven defense evangelist at KnowBe4, pointed out that it's increasingly common for attackers to use short-lived domains, usually customized to the potential victims, “to complicate the task of integrity checkers and blocklists."
“By the time the various defending software companies try to check out the site, it's gone, and been gone for hours,” he added.
Adding insult to injury, after stealing user passwords and authentication code, the phishing sites would lead to a "suspended account" page with a support chat box asking for additional personal information to recover the account, Cleveland pointed out.
“Impersonating Coinbase customer support, the hackers would continue to steal a range of additional personal information, including phone number, address, email and estimated account balance,” Cleveland added. “This allowed them to bypass any additional account validation and also keep victims engaged and distracted while draining their funds.”
As the embrace of cryptocurrency has exploded, so have attacks on these sites. Worldwide crypto adoption jumped more than 880% last year, according to Cleveland, with the global use of Bitcoin alone projected to hit 10% by 2030. This makes unsuspecting crypto investors using online exchanges a massive growth opportunity and ideal phishing targets over the coming years.
“Cryptocurrency exchanges have been the target of sophisticated adversaries since their inception,” according to the PIXM, which has been tracking these attacks since last year. “The attacks we’ve detected ... which are targeting the exchange user bases via phishing, have evolved and are using increasingly sophisticated techniques to compromise crypto exchange users’ accounts and drain their wallets.”