Researchers at Division Seven, SafeGuard Inc.’s threat intelligence team today detailed how customers at a cryptocurrency firm they work with were targeted by a threat actor using a social engineering attack with a twist: The hackers were pretending to be a well-known employee.
The investigation was launched following a report by Microsoft Security in December into targeted attacks against the cryptocurrency industry. Microsoft Corp. researchers said a threat actor, tracked as DEV-0139, was joining Telegram groups where they targeted cryptocurrency investment companies.
DEV-0139 was found to be using Telegram groups used to facilitate conversations between VIP clients and cryptocurrency exchange platforms to identify potential targets among its members. In Microsoft’s report, the threat actor was posing as a representative of another cryptocurrency investment company and would invite targets to a different chat group and pretend to ask for feedback on the free structure used by the cryptocurrency exchange platforms. The knowledge gained was then used to send a malicious Excel file that contained tables about fee structures among cryptocurrency exchange companies.
What the Division Seven researchers discovered was slightly more involved, with the threat actor impersonating a trusted individual to carry out the social engineering attack more efficiently.
Using SafeGuard Cyber’s lookback capabilities and detection engine, the researchers located and confirmed an instance when traders were targeted by someone impersonating a known employee from the company’s organization to deliver the payload.
In an example, the threat actor attempted the impersonation through the use of the legitimate user’s initials. The impersonation was detected, however, and the account was recorded and flagged as a different unique author.
The researchers believe that DEV-0139’s use of detailed trust building was likely an adaptation of a less successful, albeit easier, impersonation attack.
“The result of this analysis is a compliance customer has enabled deeper security detections for monitored Telegram users,” the research concluded. “This move is part of a larger trend we have observed over the course of 2022, a greater convergence of security and compliance in financial services to address overall business communication risks.”