UPDATED 09:00 EST / JANUARY 09 2023

Telegram SECURITY

Hackers target cryptocurrency customers by impersonating well-known employee

Researchers at Division Seven, SafeGuard Inc.’s threat intelligence team today detailed how customers at a cryptocurrency firm they work with were targeted by a threat actor using a social engineering attack with a twist: The hackers were pretending to be a well-known employee.

The investigation was launched following a report by Microsoft Security in December into targeted attacks against the cryptocurrency industry. Microsoft Corp. researchers said a threat actor, tracked as DEV-0139, was joining Telegram groups where they targeted cryptocurrency investment companies.

DEV-0139 was found to be using Telegram groups used to facilitate conversations between VIP clients and cryptocurrency exchange platforms to identify potential targets among its members. In Microsoft’s report, the threat actor was posing as a representative of another cryptocurrency investment company and would invite targets to a different chat group and pretend to ask for feedback on the free structure used by the cryptocurrency exchange platforms. The knowledge gained was then used to send a malicious Excel file that contained tables about fee structures among cryptocurrency exchange companies.

What the Division Seven researchers discovered was slightly more involved, with the threat actor impersonating a trusted individual to carry out the social engineering attack more efficiently.

Using SafeGuard Cyber’s lookback capabilities and detection engine, the researchers located and confirmed an instance when traders were targeted by someone impersonating a known employee from the company’s organization to deliver the payload.

In an example, the threat actor attempted the impersonation through the use of the legitimate user’s initials. The impersonation was detected, however, and the account was recorded and flagged as a different unique author.

The researchers believe that DEV-0139’s use of detailed trust building was likely an adaptation of a less successful, albeit easier, impersonation attack.

“The result of this analysis is a compliance customer has enabled deeper security detections for monitored Telegram users,” the research concluded. “This move is part of a larger trend we have observed over the course of 2022, a greater convergence of security and compliance in financial services to address overall business communication risks.”

Photo: Yuri Samoilov/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU