Bitcoin logo deteriorating

Crypto phishing email scam exploits TeamViewer and fake websites to bypass MFA

Threat actors have used TeamViewer and fake support conversations to compromise KuCoin ,, MetaMask, and Coinbase accounts in a new cryptocurrency theft phishing email campaign that bypasses multi-factor authentication.

PIXM notes that after 30 days of tracking the scam, it has evolved to target other wallets and exchanges in addition to the Coinbase exchange, which was the campaign’s initial objective.

The attack is backed by a vast network of phishing websites hosted by the Microsoft Azure Web Apps service. Cybercriminals lure victims by faking that their accounts have been disabled via phishing email asking them to confirm transactions or alerting them to suspicious activity.

One of the phishing email used in the attacks, for example, claimed to be from Coinbase and stated that the account had been locked because of suspicious activity.

Phishing email claiming as Coinbase
Phishing email claiming as Coinbase (PIXM)

The phishing site’s victims are directed through a multi-step fraud process by a scam artist who operates a chat window that seems to be for “customer support” when they visit. Since the threat group mainly targeted Coinbase in its 2021 campaign, PIXM has been monitoring it.

Using 2FA to bypass a multi-stage scam

After sending the phishing email, the initial stage involves directing the victims to a fake website and asking them to check in. This form takes any credentials, valid or invalid, and inputs them into the website, resulting in the victim receiving a 2FA code. Then, the fake website requests this code to access the victim’s account.

The phishing website's 2FA process
The phishing website’s 2FA process (PIXM)

The threat actors then try to log in to the victim’s account using the submitted 2FA code, provided they act before the timer expires.

Scammers Fake Customer Support

The scammers start the next step of the attack, which is to activate on-screen chat assistance, whether or not a 2FA code is successful, according to the experts. The visitor is instructed to contact support to remedy the issue after seeing a fake error notice that claims the account has been blocked due to suspicious activity.

Fake login error
Fake login error (PIXM)

Threat actors keep the targeted victim in discussion during this support chat to keep them available in case more login information, such as recovery passwords or 2FA codes, is required for the cyber attackers to log into the account.

According to PIXM report:

They will prompt the user for their username, password, and 2-Factor authentication code directly in the chat. The criminal will then take this directly to a browser on their machine and again try to access the user’s account.

In cases when a breach has been successful, the victim is still in contact with customer service in case they need to confirm money transfers while the thieves steal their money. Threat actors, on the other hand, move to a different technique to verify their device as “trustworthy” for the bitcoin platform for accounts they are unable to access through the support chat.

Attackers convince target to install TeamViewer to get over the authorised device restriction. They ask the victims to login to their cryptocurrency account or wallet after gaining remote access, adding a random character to cause an invalid password problem.

Following the victim’s request to paste the password into the TeamViewer conversation, the attacker login to the victim’s device using the password and steals the device confirmation link that the victim was sent to confirm the device’s authenticity.

The scammers email themselves the confirmation link over TeamViewer's chat
The scammers email themselves the confirmation link over TeamViewer’s chat (PIXM)

Once they get access to the account or wallet, attackers empty all funds while actively engaging the victim in the support chat. The attack will end after all of the victim’s money has been sent to the criminal’s wallet, then the criminal will cut off contact with the victim.

Always pay close attention to the email address of the sender and any sent URLs to avoid falling victim to scams in attacks like these. The email should be at once labelled as suspicious and removed if these URLs do not match to the bitcoin site. If you fall victim to one of these frauds, a cryptocurrency exchange will be helpless to prevent the transfer of your cash from your wallet, not good.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts