Cyber security researchers at the Cofense Phishing Defense Center (PDC) have unearthed a new phishing campaign targeting CoinSpot cryptocurrency exchange users via a new technique revolving around withdrawal confirmations with the ultimate goal of stealing two-factor authentication (2FA) codes.
The attackers are sending emails from a Yahoo email address, mimicking authentic emails from CoinSpot that ask the users to confirm or cancel a withdrawal transaction. The malicious texts also include details such as the transaction amount and a Bitcoin wallet address to add authenticity to the phishing campaign.
By clicking on any of the buttons embedded in the email, the victim is directed to a phishing landing page. The page clones the CoinSpot login page and uses a spoofed domain name to gain the target's attention.
"The style appears authentic, and there is even a Bitcoin address included to add to legitimacy. The user is prompted to either confirm or cancel the withdrawal, but both links have the same SendGrid hyperlink," reads the Cofense report.
Additionally, the attackers use a digital certificate that adds a lock symbol to the URL address bar to make the victim believe they've reached CoinSpot's authentic and secure login form. The malicious landing page prompts the victims to enter their account credentials, and if they fall into the trap, they receive a two-factor authentication page, which is the last shield against account takeover attempts.
Upon inputting a 2FA code, the victims are redirected to the official CoinSpot website in a final push to mitigate the chances of suspicion. The hackers can then use the account credentials and the stolen 2FA codes to gain control of the victim's account.
How to safeguard crypto-investments?
According to security experts, the excitement around cryptocurrency investment has led to an influx of inexperienced and potentially gullible users, allowing attackers to target a particular field.
“The threat actor observed here been meticulous in obtaining access to lucrative crypto accounts. By playing on the recipient’s fears with carefully crafted steps, it could be easy for targets to perceive this as legitimate,” Cofense researchers explained.
Cryptocurrency exchanges recommend users to review basic elements such as the sender’s address calmly, and look for anything suspicious while receiving emails.
Even if everything looks genuine, don’t click the built-in messaging buttons. Instead, open a new tab on your browser, visit the official website manually, log into your account, and check for any alerts or messages that need your attention.