Phishers Attempt to Steal 2FA Code of CoinSpot UsersUse of Yahoo Japan Email ID Is Only Obvious Scam Indicator, Analysts Say
Threat actors have attempted to steal two-factor authentication codes from users of Australian cryptocurrency exchange CoinSpot, according to researchers.
The codes would help attackers perform "potentially unauthorized withdrawals from individual accounts," say analysts at Cofense Phishing Defense Center.
Cofense did not immediately respond to Information Security Media Group's request for details on mitigation measures undertaken, as well as information on whether any customer accounts were compromised.
As is usually the case with such campaigns, the attackers sent users an "extremely convincing" phishing email, the analysts say.
Apart from the obvious indicator - the email has been sent from a Yahoo Japan email address and not from CoinSpot's official email correspondence address - there was no other evidence that would raise red flags for it being a phishing email, Cofense says. "The style appears authentic, and there is even a Bitcoin address included to add to legitimacy," the analysts note.
The phishing email contains "confirm" and "cancel" withdrawal options, both of which lead to the same URL - hXXps://birragzez[.]netlify[.]app/ - a landing page for the phishing site. This page, too, is convincing to the unsuspecting eye: Its domain name - coinspotswap[.]com - is only slightly different than the legitimate coinspot.co.au, and the website shows a digital certificate lock symbol in the URL address bar, according to the analysts.
To add to the appearance of authenticity, the threat actors used password requirements and checks, such as upper- and lower-case characters, numbers and special characters, the analysts say.
If the CoinSpot user enters the username and password on this page and hits the "Login" button, another two-factor authentication phishing page is displayed to the user that prompts them to use the Google Authenticator app for entering the authentication code.
Once the user submits the 2FA code, it is stolen by the threat actors, and the user is then redirected to the original CoinSpot website so as not to raise suspicion about the malicious activity, the analysts.
Although the campaign is similar to most other phishing campaigns in many ways, it is notable for the fact that it is very time-critical, says James McQuiggan, security awareness advocate at cybersecurity firm KnowBe4.
"The 2FA has a time constraint," McQuiggan says. The cybercriminals use emails similar to those generated by the actual organization and use fear and greed to get the user to "bypass any critical thinking and click on the link in the email. Organizations need to inform and educate their customers that they will never contact them to change passwords, update financial information, or confirm account changes," he tells ISMG.
It's crucial to avoid the links in an email message, McQuiggan says, and to instead use saved bookmarks or visit the website itself and log in to verify the information is accurate. "It will only take a few extra moments," he says, but it will save the user days or months required to recover lost funds or their identity.
CoinSpot says it provides several customizable account security and data security features such as 2FA, custom withdrawal restrictions, and session timeout limit settings along with an ISO 27001 certification that is a standard for protecting an organization's data.