 |
| Image Source: PIXM |
Pixm cybersecurity company is tracking group which is currently active in the wild . This group targeting the users of cryptocurrency exchanges and wallets.According to pixm's Research team initially Group target only Coinbase users and over the last month the group increase their capabilities to cover more cryptocurrency exchange and wallets.
Phase 1: 2-Factor Relay Continued
On the new domains associated with the campaign, the 2-Factor relay interception tactic is again in use. Regardless of the credentials the user enters (if they are legitimate or not) the user will be moved to a 2-Step Verification page after clicking ‘login’ where, depending on the platform in question, will be prompted for a 2-Factor code or their phone number used to retrieve their 2-Factor code. The criminal group will first attempt to relay these credentials and 2-Factor codes to the legitimate login portal associated with the platform they are spoofing. Once the user clicks ‘verify’ they will be presented with a message telling them unauthorized activity has occurred on their account.
 |
| Image Source: PIXM |
As with the Coinbase attack this group started with, this will initiate a chat window to keep the user on the phishing page in the event the 2-Factor code fails and the threat actor needs to start a remote desktop session with the victim to continue the attack. In our experience, regardless of if the victim enters legitimate credentials or not, the group will ‘chat’ with the victim to keep them in contact should they need to resend the code or proceed to the second phase of the attack.
Phase 2: 'Customer Support' Chat
For a majority of the attacks this group carries out, they will require direct interaction with the user. Their login and verification portals will, by default, produce an error regardless of the actual standing of the user’s account on the real exchange or wallet.
 |
| Image Source: PIXM |
 |
| Image Source: PIXM |
This process is intended to initiate a chat session with a member of the criminal group posing as a customer support representative from the exchange or wallet site you have visited. The criminals will use this interface to attempt to access the users if their initial credential relay failed or time expired. They will prompt the user for their username, password, and 2-Factor authentication code directly in the chat. The criminal will then take this directly to a browser on their machine and again try to access the users account. Should this also fail for any number of reasons (most common of which is that the device the attacker is using to access the victims account or wallet is not an ‘authorized device’ in the user’s profile), the attacker will proceed to phase three with the victim.
Read the full article @ PIXM
No comments:
Post a Comment