Bitcoin Scam Run by Fake Exchange, Report SaysFraudsters Deploy MFA to Give Victims False Sense of Security
Researchers at security company Proofpoint have discovered email fraud campaigns in which unidentified threat actors are swindling victims out of bitcoin by tempting them with a substantial amount of tax-free cryptocurrency.
The report comes on the heels of a U.S. Securities and Exchange Commission warning about fraudulent cryptocurrency schemes making the rounds.
In these latest campaigns, bad actors employ social engineering tactics and send potential victims functioning sets of login credentials to fake cryptocurrency exchange platforms, the researchers say.
The credentials, the victims are told, offer access to hundreds of thousands of dollars' worth of cryptocurrency from an already established account on the platform. The only condition to cash out is that the victim must first deposit some bitcoin in their account on the platform.
Sophisticated, Widespread and Lucrative
While similar to traditional advance fee fraud schemes, this set of campaigns is much more sophisticated from a technical standpoint; it is fully automated and requires substantial victim interaction, the researchers say.
The use of cryptocurrency is notable as it offers anonymity to both the attacker and the victim. "Specifically for the victim, they may find it appealing that the money would be acquired anonymously and tax-free," the researchers say.
The technical expertise of the threat actor is also evident in the way the platforms are designed, according to the researchers, who say they are "well crafted, appearing fully functional to victims."
The campaigns do not target any specific vertical or geography, but are distributed worldwide.
Proofpoint researchers say they first detected the campaign in May 2021 using a coins45[.]com landing page. The most recent version, which started in July 2021, directs potential victims to securecoins[.]net, they add.
Each of the email campaigns, they say, has been sent to "anywhere from tens to hundreds of recipients around the globe."
While Proofpoint did not specify the total number of campaigns observed so far, Sherrod DeGrippo, vice president of threat detection and research of the company, tells Information Security Media Group that Proofpoint tracked some of the cryptocurrency wallets associated with this activity.
"Proofpoint researchers have observed victims discussing their fraudulent losses on publicly available forums, including victims claiming $500,000 in losses related to this one attack," she says. Some of the messages related to this campaign included large-value lures, including up to $20 million, she adds.
How the Campaign Works
Like any other type of business email compromise or BEC, this one also begins with an email designed to get the attention of the recipient. The emails attempt to lure victims with the promise of a hefty amount of money.
"In one case, that amount was 28.85 Bitcoin or about $1,350,119 (as of 26 August 2021)," the researchers say.
The victim is then sent login credentials to a supposed bitcoin wallet website. Emails from the same campaign contain the same credential pairs - user ID and password - for all recipients, the researchers say.
As soon as a victim logs in, they're asked to change the password and add a recovery phone number. They're also sent an OTP via an automated call to complete the "security" procedure.
"It appears that multiple people can log in with the same user ID and password if they log in from a different IP address and browser. However, once they change the password, as detailed in the next section, and add in a phone number, the account becomes unique, and victims will not see any trace of other victims’ activities," the researchers say.
Leveraging the best practice of multifactor authentication, the threat actors give victims a false sense of legitimacy and security.
The threat actors also plant a couple of messages from the alleged "previous owner" to add to the sense of legitimacy.
"The information provided in the messages indicate that this platform is completely anonymous, making it the perfect place to take some BTC from. The user account area shows there is no need to enter any name or address. The victim is only allowed to enter a phone number and an optional email address. The page also notes the last time the victim logged in and mentions that the IP address is never stored, putting a technically savvy victim even more at ease," the researchers note.
The account shows that some BTC has been deposited and withdrawn in the past, making it appear as if the account is functional.
Now, if the victim were to try to transfer funds out of the platform, they'd be told that he first transfer out of any portfolio must be 0.0001 BTC to ensure "everything works".
"As the victim proceeds and submits a transfer request, the transfer appears in the queue. After roughly 40 minutes, the transfer option appears to work! The victim starts to receive confirmations of the transfer along with the amount appearing in their personal wallet. The platform also appears to be updated in real time," the researchers say.
Unfortunately for the victim, when they try to take out the rest of the bitcoin, they're told that the account owner specified a minimum withdrawal amount of 29.029 bitcoin. A likely conclusion would be that the only way withdraw money would be to transfer enough funds to have a balance of 29.029 bitcoin and then empty the account.
While Proofpoint researchers were unable to verify, they "assess with high confidence" that the final transfer out of the platform would not work, leaving the victim’s legitimate wallet significantly lighter.
An Active and Evolving Platform
The platform appears to be under active development, Proofpoint's DeGrippo tells ISMG.
"The threat actors in August 2021 added an additional step to force prospective victims to pay money upfront before being able to log in and access the account," she says.
After changing the login password and setting up multifactor authentication, the victim must agree to a yearly fee of 0.0005 bitcoin, the research report says.
Accounts whose password and phone number have been changed prior to Aug. 5, 2021, however, are still able to log in and use the platform without this additional fee being requested, it adds.
Anonymity can make it incredibly difficult to identify the malicious threat and the threat actor, Amit Sharma, security engineer at software security services provider Synopsys, tells ISMG.
As many crypto users are tech-savvy, social engineering attacks must create a false sense of security to lead users to believe a particular attack or scam is legitimate, he says.
"There are oftentimes events or offers around Initial Coin Offerings or Initial Dex Offerings that gather many users who want to get in early - and this is also when we often see a spike in fraud," he notes.
Regulatory control, Sharma says, is required, at least to monitor and mitigate cybercrime and fraudulent activities.