This is a true story and the names and location of the victim's family have been deleted. A crypto account holder was annoyed when his phone would not stop buzzing. It looked like a robocall, so he tried to ignore it. The calls continued and then his wife’s phone also started to ring. When she picked it up, a banner came across, a notification that read, ‘Your account’s in jeopardy.’” The warning, which he said was a text message, prompted him to pick up his phone. That was when the couple’s nightmare started.
The couple began investing in cryptocurrency several years ago. By December 2021, their account had grown to about $106,000, mainly held in bitcoin. Like millions of investors across the country, their account is with Coinbase, the country’s largest cryptocurrency platform.
When the target answered his phone, a female voice said, “Hello, welcome to Coinbase security prevention line. We have detected unauthorized activity due to failed log-in attempt on your account. This was requested from a Canada IP address. If this (is) not you, please press 1, to complete precautions recovering your account.” The call lasted just 19 seconds.[1]
Alarmed, he pressed 1. He said he cannot remember if he manually entered his two-factor authentication code or if it came up automatically on his screen. But what happened at that moment led to his account being locked in less than two minutes. Since the victim has not regained access, he said he assumes the fraudsters stole most if not all of the crypto, but he cannot be sure.
The couple was targeted by a particularly insidious type of fraud that takes advantage of two-factor authentication (2FA). People use 2FA, the second level of security that often involves a passcode, to safeguard a range of accounts at crypto exchanges, banks, or anywhere else they carry out digital transactions. This new type of fraud goes right at that 2FA code, and it uses people’s fear of their accounts being hacked against them. In taking action they think will protect them, they actually expose themselves to thieves.
The fraud tool is called a one-time password, or OTP bot. Many websites now leverage one-time passwords (OTP) to authenticate login and verify the user’s identity. Cybercriminals and fraudsters have consistently developed various techniques to bypass and defeat 2FA. OTP bot services have become increasingly popular with cybercriminals and fraudsters in recent months. OTP bots communicate in an automated mode with victims, attempting to trick them into providing information required for account takeover. These services use bots to initiate phone calls to the victims and solicit sensitive information such as 2FA codes, account PINs, and other PII. For the most part, these bot services are provided as a service, and they are available in various underground communities and telegram channels. Any cyber threat actor willing to pay can get immediate access to these bots.
The damage is hard to quantify now because these bot attacks are relatively new. The bot calls are crafted in a very skillful manner, creating a sense of urgency and trust over the phone. The calls rely on fear, convincing the victims to act to ‘avoid’ fraud in their accounts.
The scam works in part because victims are used to providing a code for authentication to verify account information. At first, listen, the robocalls can sound legitimate especially if the victim is harried or distracted by other things at the moment the call comes in.
The bots began showing up for sale on messaging platform Telegram during the summer of 2021. Investigators have identified at least six Telegram channels with more than 10,000 subscribers each selling the bots. While there is no official estimate on the amount of crypto stolen, fraudsters routinely brag on Telegram about how well the bots have worked, netting for each user thousands or hundreds of thousands of dollars in crypto. The cost of the bots ranges from $100 a month to $4,000 for a lifetime subscription.
Before these OTP bots, a cybercriminal would have to make that call himself and invest in social media research. They would have to call the victim and try to get them to divulge their personal identifiable information or bank account PIN or their 2FA passcode. And now, with these bots, that whole system is just automated and the scalability is that much larger and profitable to the cyber actors. Once the victim inputs that 2FA code or any other information that they requested the victim put in their phone, that information gets sent to the bot. The bot then automatically sends it to the cybercriminal, who then has access to the victim’s account. Cybercriminals can access the account until all funds are transferred.
A Coinbase spokesperson said, “Coinbase will never make unsolicited calls to its customers, and we encourage everyone to be cautious when providing information over the phone. If you receive a call from someone claiming to be from a financial institution (whether Coinbase or your bank), do not disclose any of your account details or security codes. Instead, hang up and call them back at an official phone number listed on the organization’s website.”
Another Coinbase customer knew the company would not be calling him. He recently received a robocall saying there was a problem with his account. “It was an electronic voice that told me it was Coinbase Fraud Department,” he said. “I immediately turned to the lawyer sitting next to me and said, ‘Start videoing.’ I knew instantaneously what this was and what it was going to be.” The intended victim knew what the call was about because he is not just a Coinbase client, he is an attorney who specializes in cryptocurrency and financial fraud cases. He pressed 1 and found himself on a live call. A person got on the line pretending to be a Coinbase employee. “They immediately started telling me things that I know are in violation of what Coinbase would do,” he said. “For instance, they will never ask for your password. They will never try or ask to take over your computer.”
The attorney asked if he could be sent an email verifying that the call was from Coinbase. The answer was no. “Their answer was no because there are only certain ways that you can mask the email coming directly from a domain that nowadays, the domain carriers such as GoDaddy, Google it’s very hard to spoof email coming from the domains,” he said. “They weren’t willing to send me the email. I would say that was my last shred of hope that they were legitimate is when I asked them to send me the email and they said no.” After nearly seven minutes, the lawyer was asked to share his computer screen. He then ended the call. “I’m not surprised I got the call. But I do question how they had my personal cell phone number and where they’re getting that information to tie me to Coinbase,” he reported.
The first victim said he wishes he had never answered the phone. To make matters worse, he has been unable to get his account access restored. Recently, he said that he had just responded to an email from Coinbase to help restore access to the account. Customer service at Coinbase has continued to be a problem for victims of the scam, investigators found last year. Customers in the USA said hackers were draining their accounts, but when they contacted Coinbase for help they could not get a response. Since then, Coinbase has set up a phone support line to help customers, but even that has had problems.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.nbcnews.com/tech/crypto/fraudsters-are-using-bots-drain-cryptocurrency-accounts-rcna16262
Comments