Cryptocurrency exchanges have been the target of sophisticated adversaries since their inception. At PIXM, we’ve been tracking these attacks since 2021, and initially came across them during the daily analysis of detections we perform for our clients. In late 2021, and continuing into 2022, the attacks we’ve detected at PIXM which are targeting the exchange user bases via phishing, have evolved and are using increasingly sophisticated techniques to compromise crypto exchange users’ accounts and drain their wallets.
Coinbase is a publicly traded cryptocurrency exchange platform, and arguably the most mainstream cryptocurrency exchange used globally, attracting more than 89 million users to its platform since its inception in 2012. Since its rise to prominence, it has been increasingly targeted by scammers, fraudsters, and cyber criminals, due in part to the fact that its user-base is so large and mainstream, it is assumed to cover an audience of casual, generally non-technical, crypto investors.
In this attack we observe how hackers are able to target known coinbase wallet holders, and attempt to access their accounts in spite of 2-Factor Authentication.
- Vector: Email
- Type: Brand Impersonation
- Target: Coinbase users
Phase 1: Targeted Phishing Email
The attacks we’ve observed start with the delivery of a spoofed email, resembling coinbase.. The email prompts the user to log in for a variety of reasons, each with a sense of urgency. It is either to confirm a transaction, or that the user’s account has been “locked” due to suspicious activity. The use of these scenarios by the attacker are designed to distract the user from analyzing the specifics of the email (if the sender is legitimate, if the login link is legitimate, etc.)
Example of a coinbase phishing email (Image Credit: The Coinbase Blog)
Phase 2: Phishing Page Authentication and 2-Factor Relay
Once the user arrives at a fake login page, they are prompted to enter their credentials. If they enter their login credentials, they are sent to the attacker in real time. On the other end, the attacker will enter in the login credentials into the legitimate Coinbase website that will send a 2 factor Authentication notification with a code to the user’s inbox. Thinking that the notification was initiated by them, the user will enter the provided code into the fake website. The code is sent to the attacker where it is entered on the legitimate website.
Phase 3: Transfer Cryptocurrency and Distract Target
Now, the attacker is logged into the unsuspecting user’s account, and able to access the funds they have stored with the platform. They will typically distribute these funds through a network of ‘burner’ accounts in an automated fashion via hundreds or thousands of transactions, in an effort to obfuscate the original wallet from their destination wallet. These funds are also often embezzled through unregulated illicit online crypto services, like cryptocurrency casinos, betting applications, and illegal online marketplaces. Now, on the phishing page, the target is displayed a message saying their account has been locked or restricted, similar to the initial phishing email that prompted them to the attackers page. The prompt claims they must chat with customer service to resolve the problem. A chatbox then appears in the bottom right hand corner of the phishing page, with the attacker waiting on the other end. The attacker will pretend to be a Coinbase employee helping you recover your account, and ask for additional information about your account, personal information, and an estimate of the amount of funds in your Coinbase account. They are using this chat session to keep the target occupied and distracted (from potential emails or texts they may be receiving from Coinbase when the transfers are initiated) while they transfer their funds. If the target becomes suspicious, or starts questioning why they are getting funds transfer notifications, the attacker can use the chat session to reassure them that they have nothing to worry about, and are actively working on recovering their account. Once the funds transfer is complete, the attacker will close the chat session abruptly, and shut down their phishing page.
What is patently different about these attacks, versus other phishing attacks tracked by PIXM, is that the domains stay alive for extremely short periods of time. Our estimates place a majority of the pages at being available on the internet for less than 2 hours.
In several cases, which we will outline below, we have been alerted to an attack, attempted to perform forensics on the domain, only to find it is not accessible to us. There are a variety of techniques the adversary is employing in this case to keep prying eyes from digging into their phishing infrastructure. In these cases, which we will outline below, we are observing three core techniques in use:
- Short Lived Domains
- Context Awareness
- 2-Factor Relay
Short Lived Domains
The domains employed in the attacks we’ve observed don’t appear to be in use for more than a few hours each. The domains are spun up, typically with localhost website deployment tools like cprapid and Server Quake, used in a targeted phishing attempt, and then taken down.
This indicates the domains are used in relatively targeted attacks. Based on the domain deployment lifecycle, it is likely that the coinbase phishing pages are deployed to a live URL, phishing emails targeting specific known coinbase account holders are sent, the threat actor waits for credentials and 2-Factor Authentication tokens to be entered, and then the site is taken down.
Fig: An example of a targeted Coinbase phishing page detected by PIXM.
The short lived nature of these phishing pages makes archival of the pages contents rare, as these sites are taken down long before they are indexed by search engines. This introduces challenges with performing forensics on the landing pages as well, as they are removed typically well before they are reported to vendors as malicious.
Another strategy employed by the threat actors targeting coinbase users is browser or IP context awareness. In this case, that means that the adversary knows either the IP, CIDR Range, or Geo-Location they anticipate their target(s) to be connecting from, and have created something like an Access Control List (ACL) on the phishing page to restrict connections to only be allowed from the IP, range, or region of their intended target.
This is another technique to obfuscate forensics of the phishing pages. Even if one of these pages was detected or reported within the few-hour window that the site is live, a researcher would need to spoof the restrictions placed on the page to be able to access the site.
The phishing pages will typically redirect the user to a second page after they enter their primary username/password combination. This will typically request one of two things: the 2-factor code the user is prompted to enter on login, or additional information about the user’s account.
Fig: Initial Coinbase phishing login page (looks identical to the real Coinbase login page)
Fig: Coinbase phishing 2-step verification page (looks different than the actual Coinbase 2-step verification page)
In the case that the site has a built-in 2-Factor relay, the adversary will take credentials entered by the user on their phishing, (typically automatically) enter those credentials into a REAL coinbase login portal on their end, which will then send a 2-Factor Authentication request to the users device, or prompt them to enter a code sent to their second factor device. When the user enters the code, the adversary receives it, and enters it into the real Coinbase session on their end. The user is not actually authenticated to Coinbase on their device, but have now sent the attackers their username, password, and a valid 2-Factor authentication code. The adversary will now login to the targeted users account, and start sending their cryptocurrency holdings to their own wallets.
Fig: [Phishing pages display a message that the user is locked out of the account and it needs to be resolved with Customer Support]
For good measure, after successfully harvesting their target’s login information and 2-Factor pin, the attacker will now collect more information from them manually. The phishing pages will display a message that you are locked out of this account, and need to resolve it with Customer Support. Once that has displayed, a chat box appears in the bottom right corner, where the attacker will engage the target in a conversation to “recover” additional personal information related to your account, including phone number, address, email, estimated account balance, etc.This will help them should they have difficulty, or require additional validation, while they are accessing the targets account on their system. This also enabled the attacker to be live chatting with the victim to keep them engaged and distracted while draining their funds.
Fig: A diagram of the attack’s typical lifecycle
We have seen a growing number of phishing attacks against Coinbase and other cryptocurrency exchanges in the last few months. Many of these attacks are using techniques similar to those described above in order to not only steal credentials but trick the user into entering their code to bypass 2FA. The attackers will wait for a notification that the 2FA portion has been compromised and then log in to the account to steal their cryptocurrency.
If your cryptocurrency is stolen, there is no source to go to in order to recover it, and no insurance or other protection against the loss. Law enforcement typically won’t work the case unless millions of dollars are at stake. A successful compromise of a crypto account can be devastating for the victim. It is important to be aware of these threats and take extra precautions anytime you log in to a cryptocurrency exchange.
PIXM will continue to monitor these phishing attacks and provide updates if there is new information to share.
If you receive an email from Coinbase, it will always have “coinbase.com” in the sender’s address. The email will always be coming from either “email@example.com”, or “firstname.lastname@example.org”. Coinbase will never contact you from any email address that does not contain the “coinbase.com” domain.
Due to the increasingly creative approaches to creating lookalike domains that attackers employ, it is also advised that you not click a link to a login portal even if the link appears legitimate (unless you have initiated a transaction or password reset from within the Coinbase platform or app). If you are prompted to authenticate to Coinbase, you open a new browser tab or window, and manually navigate to coinbase.com, and access your account through their standard login portal.
Questions or Feedback
PIXM Threat Research Team
Kesselring Communications for Pixm