Episode 14: The Trouble with Crypto
Undoubtedly you’ve heard about all the trouble in the cryptocurrency world but that’s not what we are here to talk about. There are numerous scams around cryptocurrency, some we’ve talked about on this podcast including Pig Butchering.
This one takes multiple methods of social engineering and combines them to trick people into giving up their cryptocurrency wallet credentials. But how are they getting past Two-Factor Authentication? And what methods are they using to scam people. What part does TeamViewer play in all of this?
The content for this episode came from this article on Bleeping Computer Attackers bypass Coinbase and MetaMask 2FA via TeamViewer, fake support chat
cryptocurrency, teamviewer, website, scam, factor authentication, text message, coinbase, fa, social engineering, computer, human element, account, password, chat, site, phishing, log, crypto, credentials, podcast
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks. It’s time to educate.
Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused security minded proactive IT service provider. Welcome to Episode 14. We’re going to dub this the trouble with crypto you know, and we’re not going to talk about the trouble with crypto if you get what I mean. So cryptocurrency has taken a nosedive, all of them there’s scams FTX and other issues out there. Bitcoin I think is at the lowest has been in many years and so are others. But we’re not going to talk about that that’s not what we’re here for. This is not a cryptocurrency podcast and I would be lying if I said I am a cryptocurrency expert I am not I understand the technology, the blockchain behind it, but I don’t really dabble in crypto I own a little bit but not a whole lot. This is more about the human element. And as you’re aware, the human element is often the cause of many breaches and or scams and manufacturing scams. It’s almost 100% exclusive human element. First, I want to apologize it’s been almost four months since our last episode, it’s just that my main business has been booming and just have not had chance to record podcasts. I will try to get back to weekly. So if you used to listen to this and you missed out, I apologize. There’s been lots of things that have occurred in those four months that we can discuss on this podcast. But this one is a little newer. This is on bleeping computer. From two days ago, as I record this November 21 2022. And the title of the article on bleeping computers, attackers bypass Coinbase and Metamask to FA via TeamViewer, a fake support shop. And really this illustrates the overwhelming use of different tactics of social engineering, in order to accomplish the end goal, the end result here being to steal the cryptocurrency in Coinbase. That you know, somebody who’s purchased whether the Bitcoin theorem or some other Bic or some other cryptocurrency, they’ve purchased it, they’re storing it in Coinbase, or Metamask, or crypto.com, or COO coin. And they’re still in this cryptocurrency by using several different forms of social engineering and combining them into one attack. And I have mentioned in a previous podcast that when you combined phishing tactics, so for example, a an email followed up with a phone call or a text message followed up with a phone call, the success rate doubles. It goes from around 30 to 40%, usually, depending on the scam all the way up to 80 plus percent when you add multiple forms of the multiple attack methods. So again, if I send you a text message, and we talked about this with Zell and how you receive a text message saying, Did you authorize this transaction for Zell? And then of course, you reply with no, because you didn’t. And immediately you get a phone call from someone claiming to be from the bank. So similar tactics here, they’re using multiple methods more than two in this in this instance, to steal cryptocurrency. So this starts out with Microsoft Azure web apps. So they’re building web apps on Microsoft Azure. You know, anybody can get on Microsoft Azure, create an account, and they give you certain services for free for a limited time and limited amount of usage. You create a web app that looks like a legitimate site. But in reality, it’s a phishing site. So they use Microsoft Azure and wouldn’t be surprised if they also use Amazon. And or Google or some other services. There’s tons of those types of services, Microsoft just being one of the bigger ones. They learned the victims to phishing messages that impersonate bogus transaction confirmation requests. So very similar to Zell, you get a notification saying that a transaction took place. And they want you to confirm it. So it could be a bogus transaction. It could be suspicious activity detection, you get, you know, we’ve all received text messages at this point, saying, there’s been suspicious activity on your on your checking account. Please click here to confirm. I think we’ve all gotten a text message. There’s a m&t bank that just took over, merged a couple of different banks in Connecticut and everybody’s receiving text messages. Even if they don’t have an account with m&t Bank. One of the phishing emails seen in the attacks pretended to be from Coinbase, which says they locked the account due to suspicious activity. Now, I wish I could find it, because I did see that I received this message in my regular Gmail account. You know, obviously, the level of of spam protection isn’t as high in a in email@example.com account. Nor do I care because it’s, that’s essentially what it’s for is to sign up for things that I don’t really want to receive emails for. When the targets visit the phishing site, they are presented with a chat window, supposedly for customer support controlled by a scammer who directs visitors through multi step defrauding process. So as I mentioned, multiple steps are involved in this process. And because of that, the success rate is a lot higher, and it includes getting onto your computer. So if you are, if you’re receiving these notifications, and you allow this conversation to take place, they will eventually lead potentially lead to try to remote into your computer and explain how they’re doing that. And why. One of the first things I do when we take over a new client is remove TeamViewer from every computer, if it’s honor. So pick some or PII. XM has been tracking this campaign since 2021. When the threat group targeted only Coinbase. Recently, pixels, analysts notice an expansion into campaigns targeting scope to include Metamask, crypto.com, and COO coin. I’m not familiar with coo coin. Again, I’m not a big cryptocurrency person, but Metamask and crypto.com. I am familiar with. And I know Coinbase is going through a lot of trouble anyway. So so how do they bypass now you’re thinking or at Coinbase. In I’m assuming Metamask can crypto.com do this as well. And coo coin probably force you to sign up for two FA now. And if you have an account anywhere, and they’re not asking you especially financial, they’re not asking you to set up to have faith and just walk away. But anyway, bypassing to effect. And we’ve talked about this before, as well. There are ways to get around to effects. It’s mostly through social engineering. So the first phase is attacking the fake crypto exchange phishing sites, involves a bogus login form followed by a two factor authentication prompt. So listen to how they’re doing this. Essentially, what happens is, they ask you to log in it looks like a real site. But it’s not. It’s a clone of the real site. And you can confirm this by looking at the URL very carefully, because they could be using something similar to what you’re used to. So in other words, if it’s crypto.com, maybe they change the O to A zero or something like that. That’s very possible. And I don’t know if that’s what they’re doing. I would imagine that purchasing crypto.com with a zero instead of an o is going to be expensive. So I don’t think they would do that. But it’s possible regardless of the credentials entered during the stage, they will still be stolen by the threat actor. So what happens is you enter the credit your credentials into this fake page that looks like the real page. And then it prompts you for two FA Okay, well, that seems legit. They’re asking me for two FA nobody could break into my account if they’re asking for two FA two factor authentication that is, and so you put it in, except that this site is also stealing those credentials. So the attackers on the other end are instantly on the real website. So let’s say coo coin, there’s an image here of coo coin. So they’re on your on coo coin website, they’ve already entered in the credentials because they stole it when you entered the members fake phishing website, and then you enter to FA and now they’ve entered that same code into the real cou coin website. So now they’ve logged into your website because you have given your to FA to this fake website and they’ve collected it. If for some reason that fails, then they move on to the next phase. So that and it also says that here that Metamask phishing attacks targeting recovery phrases rather than credentials or to FA codes. So chatting with scammers. So now there’s a chat on this page. So now to FA didn’t work.
The the scammer has triggered the next attack stage, which is to launch an onscreen chat support. And it’s really easy to add chat support to your website, if I have it on my website. It’s not in a lot of times, there’s there’s free ways to do it. You can do it for free through Facebook, although I don’t think you’d want to chat with people on Facebook on your website. But there are businesses that do this. This is done by displaying a fake error message stating the account has been suspended due to suspicious activity and asking the visitor to contact sport to resolve the matter. So you get a message on the screen on this fake website, not the real website on the phishing website that says that your account has been suspended, and then they start chatting with you on the website. In the Support Chat, the threat actors start a conversation with the targeted victim to keep them around in case different credentials, or recovery phases or two factor authentication codes are needed for the threat actors to log into the account. They will prompt the user for their username password and two factor authentication code directly in the chat. But here’s where it gets really interesting. The criminal will take to take this directly to a browser on their machine and again try to access the user’s account. But if they fail, then what happens is they go to asking the customer to use TeamViewer to overcome the authenticated device obstacle. In other words, your device has been previously authenticated and verified. But now they’re using a device that’s not the victim. The attackers convinced the victim to download install TeamViewer remote access app, the scammer asked the victims to log into cryptocurrency wallet or exchange account. And while they do so, the the threat actors add a random character in the password field to cause a login failure. So you you’re entering your password, they enter a random character while you’re doing this because they’re remoted into your computer. And of course, the login fails. So then they asked you to paste the password into TeamViewer so that they can use that password on their end. Once they gain access to the counter wallet, the threat actor drained all the funds while still keeping the victim engaged in their support chat. So now that they’ve got you in a sport job, they’re, you know, telling you okay, we’re trying to confirm that this works and see what’s wrong. And in reality, they’re draining all of your cryptocurrency out of your account and into their own account and the crypto exchanges all say there is no way to recover these. If you fall for one of these scams, there’s nothing that a crypto exchange can do to recover your funds once they’re transmitted from your wallet. That’s it, it’s gone. And if you have 10s of 1000s or more in cryptocurrency sitting on one of these exchanges, it is gone. So what happened here? What did we How did these people get scammed, and this has been going on since 2021. So we’re already in our second year of this scam happening. Again, they’ve used multiple methods of social engineering, they’ve, they’ve taken you to a phishing website, looks like a real website. So if you’re not paying attention to the URL, that’s the the actual address. So if I were to go to google.com, it would be G O G, l e.com. In my, in my address bar. One of the problems is some people don’t know that an address bar is not the same as a search. And so they’re not they may they may not be looking at the address bar when this happens now, if you’re dabbling in cryptocurrency, hopefully you know better than that. Number two, they ask you to login. So if they’ve convinced you that this is the real website, and now you’re logging in, they’re stealing those credentials. And we’ve if you’ve listened to this podcast or any other podcast similar in nature, then you know that there are plenty of phishing websites out there that that’s what they do. They convince you to log in, they steal your credentials, and then they run with it. Okay, well, I have multi factor authentication, two factor authentication of my counsel, that doesn’t matter. Who cares if they steal my credentials, I’ll just change my password, except now they’re asking you to enter your two factor authentication. And now you, you have that warm and fuzzy feeling. Okay, they’re asking for two factor authentication. So this is okay. Except that what they’re really doing is stealing your two factor authentication codes. So they still you enter the code. They steal that and then they try it on the real website in the background. Now for some reason that fails whatever reason, you know, if they have some sort of conditional access, which just means they have never logged in from that location. So now, the cryptocurrency exchange wants another authentication method. Now they move on to the next phase and that’s the support That’s to start a support chat with you. And against tried to steal those credentials through the support chat. And if it’s still not working, they’re going to install, they’re going to convince you to install TeamViewer. Which, yes, there are businesses out there that legitimately use TeamViewer. But there were also lots of shady people out there that use that use TeamViewer. to remote into computers, you can use TeamViewer for free. And so that’s where this runs into a problem for people because you can install it for free, you could connect to someone’s computer, they give you the code, you log into the computer, and do what you have to do. And so they did convince them to install TeamViewer. And as they’re entering the password into the website, they add an extra character. So now it feels they convinced the end user to copy and paste the password into the chat. So now they have the password. Minus, you know, obviously, they’ll take out the character that they entered and cause it to fail. And they’re going to log into the real crypto exchange site, steal all your your cryptocurrency and run with it. And there’s nothing you could do about social engineering, using multiple methods has a higher success rate. And obviously, this is working, because it’s been going on for two years. And we’re talking about it in year two. So how do you protect yourself? Well, there’s a few things. Number one, look at the address in the web. First of all, don’t fall for the scam. Like if if you get an alert saying that you’re there’s a problem with your account? Or did you authorize this transaction, then just simply go to coinbase.com and log in there or crypto.com or Metamask, or COO coin and just log in there, whatever the exchange is, even if it’s just your regular bank, just login with the with the website that you know to be the correct website. Or alternatively, call to the exchange or the bank or whoever it is, you have a debit card, if it is your bank to call the number on the back of the card, Google phone number for support on on any of those companies, and call them directly to find out what’s going on. And they will tell you yes, this is a scam. The second thing is, so as I mentioned, you can look at the web address of the website that they’re taking you to and confirm whether or not it is the real site. Chances are it’s not. Thirdly, if you’re using some kind of web filtering technology, we installed DNS filtering on some of our clients where to work where it makes sense. And the purposes one of the things it does is block out known phishing sites and or newly registered sites. So if you just if the domain was just purchased and a website launched recently, it’s going to get blocked automatically. You could do this in your own home as well as, and as a matter of fact, some of the anti malware, they’re called endpoint detection. Now, some of those software’s will offer ways to protect you on the web as well. Even Google to some degree will block some of those sites. So if you know if you get any kind of alert on your computer, sort of suggesting that the website is not legit, then back out of it right away. Do not allow anybody to install TeamViewer on your computer ever. For those companies that legitimately use TeamViewer, I would highly recommend because of the reputation around it, just move away from TeamViewer and I’m sorry, that’s just the way I feel. Now I know they have a paid plan as well. So it’s a little bit different but still doesn’t change the fact that it’s being used for nefarious purposes on a regular basis. And there are other ways to do this. It’s not the only way to remote into a Windows computer you can take can simply use. Quick Assist on a Windows 10 or 11 computer. The problem is trying to get the person to find Quick Assist is doesn’t seem to be well known that Quick Assist exists on Windows computer. If a Support Chat, never copy and paste your your paste your password anywhere, never copy and paste it especially into a Support Chat. There is never a reason for them to have the password ever. All of our clients that and Washtech they’re told do not give us your password. We have other ways to help you. We do not need your password ever. We will never call you and ask you for your password. We will never prompt you for the I will say login. I don’t want to know your password. You go ahead and login and I’ll be honest, some people will still give me the password. I don’t want it and I’m you give it to me I forget it anyway, I don’t barely remember my own passwords. So just don’t give out your password through any method.
And the last suggestion that I’ll give you is, it’s really easy. You get an alert saying, Did you authorize this transaction and to transfer? You know, let’s say $10,000 worth of cryptocurrency, and you’re automatically your first reaction. I’m in the business and I know a phishing scam or a phishing scam or a smishing. Scam, whenever I receive one. But if I got a text saying, Did you authorize this sell for $5,000? My instinct gut reaction is, Oh, crap, what’s going on? Amazon text messages that say, Did you your delivery, there’s a problem with your delivery, click here to update your address or whatever. My instant reaction is, Oh, crap, something’s wrong. I take a second and say no, wait a minute. This isn’t right. Step back from whatever it is that’s causing causing you that that anxiety that fear. Whatever it is that that reaction, emotional response to the text or, or email or phone call that you just received? wait, just wait, give it 510 minutes, and then come back and say, Wait a minute, is this right? Look at the link that they text you or or emailed you and say this, it doesn’t look right. Look at the message again, you’ll you’ll probably pick up on grammatical errors or things like that. Just step back and say something isn’t right. And then say I’m going to go to the website manually type in, you know, let’s use Coinbase. Again, coinbase.com. I’m sure we all know how to spell Co Co I NBA se.com. Make sure it’s dot com, because that’s their official website and login through there and say, No, there’s nothing wrong or call them even better call them and say, Listen, I just got this text message, I want to make sure it’s legitimate. Always, always use some kind of verification for yourself to make sure that the information is on the up and up. Chances are it’s not. I don’t think with any of the services that you’ll receive text message out of the blue saying did you do this? Did you authorize this, a lot of times if they detect fraud, they’re going to call you they will place a phone call to you. So hopefully this helps someone but again, it illustrates the problem with social engineering is that now they’re when they combine multiple methods of engineering you the success rate increases significantly, not just a little bit significantly. So where you might think it’s not worth their time and energy. I only have you know a few $100 in my my wallet, that few $100 could mean a lot to someone else. And they’re going to work hard to get to that. So stay safe. I’m going to upload this on the day before Thanksgiving. So if you celebrate Thanksgiving, Happy Thanksgiving, and we will do our best to make this a more regular podcast again. Until next time. Stay safe, stay secure and don’t get scammed.