Researchers at Division Seven, SafeGuard Inc.’s threat intelligence team today detailed how customers at a cryptocurrency firm they work with were targeted by a threat actor using a social engineering attack with a twist: The hackers were pretending to be a well-known employee. The investigation was launched following a report by Microsoft Security in December into targeted attacks against the cryptocurrency industry. Microsoft Corp. researchers said a threat actor, tracked as DEV-0139, was joining Telegram groups where they targeted cryptocurrency investment companies. DEV-0139 was found to be using Telegram groups used to facilitate conversations between VIP clients and cryptocurrency exchange platforms to identify potential targets among its members. In Microsoft’s report, the threat actor was posing as a representative of another cryptocurrency investment company and would invite targets to a different chat group and pretend to ask for feedback on the free structure used by the cryptocurrency exchange platforms. The knowledge gained was then used to send a malicious Excel file that contained tables about fee structures among cryptocurrency exchange companies. What the Division Seven researchers discovered was slightly more involved, with the threat actor impersonating a trusted individual to carry out the social engineering attack more efficiently. Using SafeGuard Cyber’s lookback capabilities and detection engine, the researchers located and confirmed an instance when traders were targeted by someone impersonating a known employee from the company’s organization to deliver the payload.
Full research : Hackers target cryptocurrency customers by impersonating well-known employee.