Data breaches have become one of the most serious threats for organizations all around the world, and their numbers are rising every year. Data theft occurs when unauthorized individuals gain access to sensitive, protected, or confidential information, such as personal data, financial documents, intellectual property, etc. However, such an incident goes far beyond the direct loss of data, as it entails serious consequences for the security, reputation, and financial stability of individuals and organizations.
Cybercriminals are employing increasingly advanced forms of scams, such as vishing and spear phishing, which involve impersonating other individuals and representatives of authorities. An example is an incident observed since January 2024 by the Cisco Talos group, involving cryptocurrency theft through the application of hybrid techniques of extracting information and social engineering attacks.
Stolen Data as a Tool in Cybercriminals Hands
In the campaign observed from January by Cisco Talos, the perpetrators impersonated officials from the CySEC (Cyprus Securities and Exchange Commission) and exploited the desire to recover losses stolen due to alleged fraud on the Opteck trading platform, which offers solutions for trading binary options.
In 2017, Opteck’s database was stolen and then sold on raidforum. To this day, some of Opteck’s user login data can be purchased on Russian dark markets. In the same year, CySEC declared Opteck as illegal and suspended its license until remedial action was taken. Meanwhile, scammers likely used data previously stolen from Opteck to build the authenticity of their campaign.
The mechanism involved initially contacting the potential victim by telephone, informing them that the Opteck platform had fallen victim to cybercriminal activity, as a result of which the potential victim’s crypto investments could have been misused. The fraudster, presenting himself as a CySEC official, offered help in recovering the stolen capital. To increase credibility, the scammers sent emails signed with real names of CySEC officials, then asking for a bank statement for verification. The next message the victim received concerned detailed stages of refund.
During the conversation with the victim, the scammer created a cryptocurrency wallet on the Coinbase platform and sent the victim the wallet ID, reassuring that they would transfer 816 USDT within 12 hours as the wallet’s activation amount. If the victim made any mistakes, the criminal demanded that the victim send a specified amount of ETH to another ID of the scammer’s cryptocurrency wallet, which was referred to as the AML wallet in this campaign. The scammer then informed that a Coinbase representative would contact him.
Presenting himself as a Coinbase representative, the scammer suggested that the person pay 10% of the refund amount as a fee for Coinbase insurance on their so-called AML wallet in USDT or ETH. When the victim agreed, the scammer again demanded that the victim pay another amount as part of the negotiation process to another wallet ID in ETH, assuring that they would receive 50% of the refund amount on his Coinbase wallet, which of course never happened, but only led to the theft of the victims’ cryptocurrency.
Cybercriminals Successfully Completed Campaign
The campaign was extremely successful, as indicated by the number and value of transactions carried out. Cisco Talos experts, based on the analysis of phishing emails, were able to determine four Ethereum wallet addresses that they used to steal cryptocurrency from their victims, collecting cryptocurrency worth more than $100,000. Additionally, Cisco Talos Group noticed that scammers used multi-chain wallets, which means they distributed stolen assets across various blockchain networks, thus blurring traces and making tracking more difficult.
Scammers created domains that resembled the real CySEC website, configuring them to look legal, all while using Microsoft’s tools to send fraudulent emails to avoid detection and enhance the authenticity of their messages. Name Server (NS) and Start of Authority (SOA) records of phishing domains were configured to point to the domain name servers of the company njal.la, a provider offering a “privacy as a service” service, and the Mail Exchange (MX) records of the domains were configured using mail servers on mail.protection.outlook.com, indicating that phishing messages were directed through Microsoft’s email protection services. All of this was done to create an impression of authenticity.
Text records for the domains indicate that the criminal’s mail server applied SPF (Sender Policy Framework) policies, meaning that any IP addresses approved by Microsoft’s Outlook protection service were also authorized to send emails on behalf of the criminal’s domains. Several ms=msXXXXXXXX values defined in the TXT records were also noticed. These records are typically used during domain verification by Microsoft Office 365, and their presence suggests that the domain is lawfully registered.
Awareness of the Threat Basis for Effective Cybersecurity
“The human factor is seen by cybercriminals as an easy target that can be exploited using various social engineering techniques, and as the above analysis shows – they are not mistaken. Using data as a tool for manipulation facilitates hackers in conducting scam campaigns, causing significant financial, reputational, and psychological harm to individuals and organizations,” warns Chetan Raghuprasad, analyst at Cisco Talos. “Therefore, building awareness in society is more than necessary. It enables individuals to protect themselves and entire organizations. By educating about threats we can reduce the risk related to data breaches and scam campaigns,” advises Cisco Talos expert.
Source: https://managerplus.pl/od-opteck-do-coinbase-sledztwo-w-sprawie-skomplikowanej-kampanii-phishingowej-89796