Coinbase phishing hack signals more crypto attacks to come, security firm says
Recent phishing attacks on Coinbase and its customers revealed how these campaigns are not only becoming more sophisticated and multifaceted, but how threats against cryptocurrency websites are rapidly increasing, according to research and analysis by security firm PIXM.
“Since it came to prominence, [Coinbase] has increasingly been targeted by fraudsters, scammers and cybercriminals, in part due to the fact that its user base is so large and mainstream,” said the PIXM blog published earlier on August 4, “it is believed to cover an audience of casual, generally not -technical, crypto investors.” Coinbase is “arguably the most common cryptocurrency exchange used globally,” having added more than 89 million users to the platform since it began operations a decade ago in 2012.
In their “multi-layered” phishing attack on Coinbase, cybercriminals sent out fake emails purporting to be from the cryptocurrency company to steal financial and personal data to resell and log into users’ legitimate accounts to steal their money in real time. The attacks combined email and brand impersonations to steal from Coinbase wallet holders, despite their use of multi-factor authentication (MFA), according to PIXM’s analysis.
According to Chris Cleveland, founder and CEO of PIXM, this complex and sophisticated campaign involved “surprising tactics to steal much more than just passwords.”
“After stealing a user’s Coinbase password, the phishing sites used a built-in two-factor relay system to enter the user’s password into the real Coinbase website and then request the actual two-factor authentication code from the user, [which] allowed the hacker to bypass two-factor authentication and gain access to a user’s Coinbase wallet.”
Bad actors typically sent Coinbase customers a notice that their account “needs attention due to an urgent matter,” such as being “locked” or requiring a transaction confirmation. “Users were asked to enter login information and a two-factor authentication code on the fake website,” according to PIXM’s blog. “With the newly obtained personal information, the attacker immediately gets[ed] access to users’ legitimate sessions on the Coinbase website.’
“The email asks the user to log in for a variety of reasons, each with a sense of urgency. It’s either to confirm a transaction, or that the user’s account has been ‘locked’ due to suspicious activity,” the PIXM blog continued. “The attacker’s use of these scenarios is designed to distract the user from analyzing the details of the email, [such as] if the sender is legitimate or if the login link is legitimate.”
Roger Grimes, data-driven defense evangelist at KnowBe4, pointed out that it is increasingly common for attackers to use short-lived domains, usually tailored to the potential victims, “to complicate the task of integrity checkers and blocklists.”
“By the time the various defending software companies try to check out the site, it’s gone and been gone for hours,” he added.
After stealing user passwords and authentication codes, the phishing sites would lead to a “suspended account” page with a support chat box asking for additional personal information to restore the account, Cleveland pointed out.
“Masquerading as Coinbase customer support, the hackers would proceed to steal a variety of additional personal information, including phone number, address, email and estimated account balance,” Cleveland added. “This allowed them to bypass any additional account validation and also keep victims engaged and distracted while they drain their money.”
As cryptocurrency adoption has exploded, so have attacks on these sites. Worldwide crypto adoption increased by more than 880% last year, according to Cleveland, with global use of Bitcoin alone projected to reach 10% by 2030. This makes unsuspecting crypto investors using online exchanges a huge growth opportunity and ideal phishing targets during the the coming years.
“Cryptocurrency exchanges have been the target of sophisticated adversaries since their inception,” according to PIXM, which has been tracking these attacks since last year. “The attacks we’ve discovered … targeting exchanges’ user bases via phishing have evolved and use increasingly sophisticated techniques to compromise crypto exchange users’ accounts and empty their wallets.”