PIXM is continuing to track an active criminal group operating four campaigns targeting the users of cryptocurrency exchanges and wallets. The scammers will use an in-browser chat window to initiate a remote desktop session on the victims device, approve their own device as valid to access the users account, and then drain cryptocurrency from the victims wallet.

When PIXMs Threat Research team first started tracking this group, they were only targeting the Coinbase exchange. Over the last 30 days, the group has increased their coverage of cryptocurrency exchanges and wallets, to now include MetaMask, Crypto.com, KuCoin, and Coinbase.

A list of domains the group has used actively over the last 30 days is listed at the end of this blog post.

On the new domains associated with the campaign, the 2-Factor relay interception tactic is again in use. Regardless of the credentials the user enters (if they are legitimate or not) the user will be moved to a 2-Step Verification page after clicking ‘login’ where, depending on the platform in question, will be prompted for a 2-Factor code or their phone number used to retrieve their 2-Factor code. The criminal group will first attempt to relay these credentials and 2-Factor codes to the legitimate login portal associated with the platform they are spoofing. Once the user clicks ‘verify’ they will be presented with a message telling them unauthorized activity has occurred on their account.

Fig: 2-Factor Relay page, similar to that of the original Coinbase campaign.

As with the Coinbase attack this group started with, this will initiate a chat window to keep the user on the phishing page in the event the 2-Factor code fails and the threat actor needs to start a remote desktop session with the victim to continue the attack. In our experience, regardless of if the victim enters legitimate credentials or not, the group will ‘chat’ with the victim to keep them in contact should they need to resend the code or proceed to the second phase of the attack.

For a majority of the attacks this group carries out, they will require direct interaction with the user. Their login and verification portals will, by default, produce an error regardless of the actual standing of the user’s account on the real exchange or wallet.

Fig(s): Errors produced on a few of the login portals, which initiate a ‘customer support chat’ with the same threat actor.

This process is intended to initiate a chat session with a member of the criminal group posing as a customer support representative from the exchange or wallet site you have visited. The criminals will use this interface to attempt to access the users if their initial credential relay failed or time expired. They will prompt the user for their username, password, and 2-Factor authentication code directly in the chat. The criminal will then take this directly to a browser on their machine and again try to access the users account. Should this also fail for any number of reasons (most common of which is that the device the attacker is using to access the victims account or wallet is not an ‘authorized device’ in the user’s profile), the attacker will proceed to phase three with the victim.

The group uses the same tawk.to chat plugin on all of their sites, each with the same customer support representative named “Veronica”, and the same ‘AccountKey’ value for each chat window (which indicated they are all owned and operated by a single tawk.to account).

Fig: Tawk_AccountKey value which appears the same across all domains associated with the separate campaigns.

If the previous phases have not succeeded in giving the criminal group access to the victims wallet, they will instruct the victim to download a remote access and control application ‘TeamViewer’. They instruct the victim that this is to help them diagnose the issue with their account directly on the users machine. Once the victim has installed TeamViewer on their device, and entered the code provided by the group, the criminal now has full control of the users device, and will guide them through the steps required to authorize their device to the users account and hijack their session.

Fig: Attacker initiating a remote support session on the victims device.

The criminal has the user navigate to their email inbox associated with the crypto exchange or wallet account. They will instruct the user to login to their account on the exchange or wallet site. While the user is logging in, the attacker, who has control of the victim device, will enter a random character while the victim is entering their password, which will force it to fail. The attacker will click into the TeamViewer chat box without the victims knowledge, and ask them to enter their password again, which is just sending the password to the criminal in plain text.

Fig: Attacker tricking the victim into entering their password directly into the TeamViewer chat box.

When the user re-authenticates the attacker will simultaneously login to the users account on their device, which will prompt a ‘device confirmation’ link to be sent to the user. The criminal will take over the user’s desktop session and send themselves, via the TeamViewer chat feature, the device confirmation link. They can now use this link to validate their own device to access the user’s account.

Fig: Attacker sending themselves a device confirmation link from the wallet or cryptocurrency exchange.

This phase may be initiated during any previous phase, it is only contingent on the attacker successfully being able to authenticate to the victims account. Once the criminal is in the victims account, they will immediately begin transferring the cryptocurrency held in the victims wallet(s) to their own. They will keep the victim on the (virtual) line and engaged as they steal their funds, in the event that the service they are draining funds from requires some sort of email or phone confirmation of funds transfer. If that is the case, the attacker will assure the victim that this is normal and expected activity related to account restoration. Once all the funds have been sent from the victim to the criminals wallet, they will end communication with the victim, thus ending the attack.

Coinbase and Coinbase Extension:

• coiansabsabselog(.)azurewebsites(.)net
• coianbswalle(.)azurewebsites(.)net
• coiansabse(.)azurewebsites(.)net
• coaiasabsbvbebs(.)azurewebsites(.)net
• coaziaanabelog(.)azurewebsites(.)net
• cocianbaseasas(.)azurewebsites(.)net
• cionvbaaselog(.)azurewebsites(.)net
• cicixcnbaselog.azurewebsites(.)net
• coinabasbe-log.azurewebsites(.)net
• coodnswalle.azurewebsites(.)net
• cooinbcse-log.azurewebsites(.)net
• cooanabse-log.azurewebsites(.)net
• cooainnbase-log.azurewebsites(.)net
• coianansbe-log.azurewebsites(.)net
• ccoiansbase-log.azurewebsites(.)net
• cocoianbse-logs.azurewebsites(.)net
• cocinanbs-log.azurewebsites(.)net
• coiansbs-log.azurewebsites(.)net
• ccoisnbselog.azurewebsites(.)net
• coaiinnbase-log.azurewebsites(.)net
• cociicnbas-log.azurewebsites(.)net

MetaMask:

• mmemataamammasaskssklog(.)azurewebsites(.)net
• mmemtamammasks(.)azurewebsites(.)net
• mmeatasmasmks(.)azurewebsites(.)net
• ammetamsask-log.azurewebsites(.)net
• mmetatamamks.azurewebsites(.)net
• mmmeatasmsam.azurewebsites(.)net
• mmmetamsasks.azurewebsites(.)net
• mmmaetammask-walle.azurewebsites(.)net
• mmmetatasmasmk.azurewebsites(.)net
• mmmetataamamsk-log.azurewebsites(.)net
• mmmetanask-log.azurewebsites(.)net
• mmemetatamask.azurewebsites(.)net
• mmetttamask-waale.azurewebsites(.)net

Crypto.com:

• cryoposotllog.azurewebsites(.)net

KuCoin:

• kkucinn-lov(.)azurewebsites(.)net
• kucuuco-log.azurewebsites(.)net

If you receive an email from any Cryptocurrency exchange or wallet, it will always have the organization’s actual domain in the sender’s address. For example, if coming from coinbase, the email will always be coming from either “account@coinbase.com”, or “account@subdomain.coinbase.com”. No Cryptocurrency exchange or wallet will never contact you from any email address that does not contain their authentic domain.

Due to the increasingly creative approaches to creating lookalike domains that attackers employ, it is also advised that you not click a link to a login portal even if the link appears legitimate (unless you have initiated a transaction or password reset from within the Coinbase platform or app). If you are prompted to authenticate to Coinbase, you open a new browser tab or window, and manually navigate to coinbase.com, and access your account through their standard login portal.

Questions or Feedback

PIXM Threat Research Team
threats@pixmsecurity.com

Media Inquiries

Leslie Kesselring
Kesselring Communications for Pixm
leslie@kesscomm.com