Catches of the month: Phishing scams for October 2021

Welcome to our monthly review of phishing scams, in which we examine the latest campaigns and the tactics being used by cyber criminals to fool you into handing over your information.

This month, we concentrate on scams affecting banking and the financial sector, and why 2FA (two-factor authentication) isn’t as secure as you might think (although it’s still better than nothing).

Thousands of Coinbase users lose funds in phishing attack

The Coinbase cryptocurrency exchange has warned more than 6,000 of its customers that they were the victims of “a third-party campaign” that gained access to their accounts and removed funds.

The perpetrators most likely used phishing attacks to gain access to victims’ email accounts and personal data, which they then used to attempt to sign in to the targeted Coinbase accounts.

Coinbase accounts are secured by 2FA, so even with all this information the attackers should have been unable to sign in.

However, Coinbase admits that there was a flaw in its SMS Account Recovery process, which enabled the attackers to receive the 2FA token intended for the victim, giving them access to the accounts instead.

The attackers were then able to transfer funds from victims’ Coinbase wallets.

As soon as Coinbase learned of the compromise it updated its SMS Account Recovery process and began reimbursing those who had been affected. It has not disclosed how much cryptocurrency the thieves stole.


Barclays account holders fall victim to smishing attack

It is not just virtual currency exchanges that have fallen victim to phishing: attacks on banks have continued to increase in recent months.

According to The Telegraph (paywall), fraudsters have stolen millions of pounds from Barclays accounts in “a series of orchestrated attacks” using a Monzo account and a PISP (payments initiation service provider).

A Barclays spokesperson told The Telegraph:

There is nothing new or different about a fraudster’s approach to these cases that are specific to using a Pisp.

It is the same type of social engineering to convince victims to share passcodes/Pinsentry codes as is done to defraud customers through traditional channels. We regularly warn customers never to give out their Pinsentry codes or any passwords to prevent this type of fraud from happening.

The Open Banking Implementation Entity discussed a similar attack that took place in May.

It is believed that the attackers sent fraudulent SMS messages to victims (known as ‘smishing’) that purported to verify payments.

When the victims tapped the enclosed link, they were taken to a malicious website that looked identical to their bank’s, where they unsuspectingly entered their login details.

The attackers were then able to set up another bank account using these stolen credentials and use a PISP to initiate payment requests.


At least eight Canadian banks affected by phishing bot campaign

According to a blog by Intel 471, there has been a substantial increase in criminals trying to bypass banks’ 2FA measures by using Telegram bots to elicit account information from victims via SMS messages.

These bots are available for hire on the dark web, and are proving very popular with fraudsters because they are easy to use: all the crooks need do is pay a monthly fee and click a few buttons, and the bot does the rest.

One bot, known as SMSRanger, can be used to “target specific banks, as well as PayPal, Apple Pay, Google Pay, or a wireless carrier”, and boasts an 80% efficacy rate.

Another, called SMS Buster, “provides options to disguise a call to make it appear as a legitimate contact from a specific bank while letting the attackers choose to dial from any phone number”.

Since June, at least eight Canadian banks have been affected by phishing attacks using these bots, with their operators “often walking away with thousands of dollars from victim accounts”.


Can you spot a scam?

Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.

This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.

Find out more

No Responses