Chat Support Scam Targets Crypto Wallets

Hackers Rob Multiple Crypto Platforms

Dark web hackers’ latest cryptocurrency scams involve phishing attacks targeting Coinbase, MetaMask, Crypto.com, and KuCoin. Thieves are actively targeting these accounts to steal cryptocurrency by evading multi-factor authentication. With the latest phishing attacks, cyber analysts reported that the Microsoft Azure Web Apps service has played a pivotal role in the stealing of cryptocurrency, when used by hackers to trick crypto owners into visiting malicious websites.

In all instances, the most popular cryptocurrency platforms are featured in the hackers’ scams. Mostly phishing emails are sent to recipients’ email inboxes, tricking them into visiting malicious websites that appear to be transaction confirmation requests or account alerts for suspicious activity. An example is one in which a Coinbase account was locked due to suspicious activity, the unsuspecting victim is then lured to click on a purported Coinbase link.

Phishing websites are used as traps that ensnare victims in a multi-step fraud scheme. The con artist disguises himself as a ‘customer assistance’ in a chat window on the fake duplicate of the official cryptocurrency platform.

PIXM analysts have been monitoring the activities of the malicious group of hackers, they noticed that these threat actors have been targeting Coinbase customers since 2021. However, recent reports indicate that PIXM researchers have linked the same criminals to phishing scams that target MetaMask, Crypto.com, and KuCoin, as well.

Victims gift scammers with 2FA code

Individuals who clicked on the hackers’ fraudulent link are usually redirected to fake crypto exchange phishing sites, then the scam attack starts with a phony login form, which is subsequently followed by a request for two-factor authentication.

Next, a popup window on the following page requests the 2FA code required to access the victim’s account. The credentials entered at this point by the victim are then stored by the threat actors.

PIXM researchers’ analytics show that the hackers would test the stolen credentials on a real website like Coinbase, which then sends the victim a 2FA code to authenticate their login. Once the unsuspecting individual inputs a legitimate 2FA code on the fake website, the dark web hackers now have full access to the victim’s cryptocurrency wallets.

Meanwhile, MetaMask victims are prompted to input their recovery phrases, rather than 2FA codes. Thus, further enabling the threat actors linked to the cryptocurrency phishing scam full access to their accounts.

Chat support used to trick victims

Researchers have noticed that hackers usually converse with victims through chat support boxes. And even if the 2FA code is successful, the scammers also utilize an on-screen attack, by sending an error message to the visitor indicating the suspension of their account due to suspicious activity.

In the support chat, the threat actors engage the intended victim to derive additional login information, such as username, password, recovery phrases, and 2 Factor Authentication code. Meanwhile, the criminals are on another web browser accessing the victim’s account.

PIXM also revealed that for successfully compromised accounts, the unsuspecting victim would normally contact their customer service to confirm fund transfers, meanwhile the criminal hackers wipe out their entire cryptocurrency wallet.

It was also observed that to authenticate their device as trustworthy for cryptocurrency platforms thaty they cannot breach via support chat, the criminal hackers would switch to other alternative methods.