"Phishers Swim Around 2FA in Coinbase Account Heists"
In a recently observed phishing campaign aimed at taking over Coinbase accounts and defrauding users of their cryptocurrency balances, threat actors are circumventing two-factor authentication (2FA) and employing other evasion tactics. Coinbase is a cryptocurrency exchange platform that has been in operation since 2012. With over 89 million users, it is arguably one of the most popular cryptocurrency exchanges, making it an appealing target for cybercriminals. Researchers from PIXM Software discovered that attackers are using emails spoofing the popular cryptocurrency exchange to trick users into logging into their accounts so that they can gain access to them and steal victim funds. According to the PIXM Threat Research Team, they will typically distribute these funds through a network of 'burner' accounts in an automated manner via hundreds or thousands of transactions, in order to obfuscate the original wallet from their destination wallet. To avoid detection, attackers use a variety of tactics, including what researchers call short-lived domains in which the domains used in the attack stay alive for significantly short periods of time. The researchers estimated that most of the pages were on the Internet for less than two hours, which in some cases prevented PIXM researchers from performing forensics after being alerted to an attack. This, along with other techniques such as context awareness and 2-factor relay, enables attackers to keep researchers from digging into their phishing infrastructure. This article continues to discuss the attackers spoofing the widely used cryptocurrency exchange to trick users into logging in so they can steal their credentials and funds.
Threatpost reports "Phishers Swim Around 2FA in Coinbase Account Heists"