How Coinbase Phishers Steal One-Time Passwords – Krebs on Security

A recent phishing campaign targeted at Coin base users show that thieves are getting wiser to phishing one-time codes (OTPs) needed to complete the login process. It also shows that phishers are trying to sign up for new Coinbase accounts with millions as part of an attempt to identify email addresses that are already linked to active accounts.

A Google-translated version of the now defunct Coinbase phishing site, coinbase.com.password-reset[.]com

Coinbase is the world’s second largest cryptocurrency exchange with approximately 68 million users from over 100 countries. The phishing domain in question coinbase.com.password-reset[.]com – was targeted at Italian Coinbase users (the default language of the site was Italian). And it was reasonably successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.

The team of the team managed to look into some poorly hidden file folders associated with this phishing site, including its administration page. The panel pictured in the edited screenshot below reported the phishing attacks with at least 870 sets of credentials before the site was taken offline.

Coinbase phishing panel.

Holden said that every time a new victim submits credentials to the Coinbase phishing site, the administrative panel would make a loud “thing” – presumably to warn the person at the keyboard at the other end of this phishing scam if that they had a live on hook.

In each case, the phishers would manually press a button that prompted the phishing site to ask visitors for more information, e.g. The one-time code from their mobile app.

“These guys have real-time options to request any input from the victim that they need to access their Coinbase account,” Holden said.

Pressing the “Submit Information” button prompted visitors to provide additional personal information, including their name, date of birth, and street name. Armed with the target’s mobile number, they could also click “Send Verification SMS” with a text message asking them to send a one-time code back.

SIFTING COINBASE FOR ACTIVE USERS

Holden said the phishing group appears to have identified Italian Coinbase users by trying to create new accounts under email addresses of more than 2.5 million Italians. His team also managed to recover the username and password data that the victims submitted to the site, and virtually all of the submitted email addresses ended up with “.it”.

But the phishers in this case were probably not interested in registering any accounts. Rather, the bad guys understood that any attempt to sign up using an email address associated with an existing Coinbase account would fail. After doing this millions of times, phishers would then take the email addresses that failed new account sign-ups and target them with Coinbase-themed phishing emails.

The team’s data shows that this phishing gang made hundreds of thousands of half-hearted account registration attempts every day. For example, on October 10, the scammers checked more than 216,000 email addresses against Coinbase’s systems. The following day, they attempted to register 174,000 new Coinbase accounts.

In an email statement shared with KrebsOnSecurity, Coinbase said it is taking “comprehensive security measures to ensure our platform and customer accounts remain as secure as possible.” Here is the rest of their statement:

“Like all major online platforms, Coinbase sees attempts at automated attacks performed on a regular basis. Coinbase is able to automatically neutralize the vast majority of these attacks through a mix of internal machine learning models and partnerships with industry-leading bot detection and abuse prevention providers. We continually adjust these models to block new techniques as we discover them. Coinbase’s Threat Intelligence and Trust & Safety teams are also working to monitor new automated abuse techniques, develop and apply mitigation and aggressively pursue removals against malicious infrastructure. We recognize that attackers (and attack techniques) will continue to evolve, and therefore we take a multi-layered approach to combating automated abuse. ”

Last month, Coinbase revealed that malicious hackers stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multifactor authentication feature.

“To carry out the attack, Coinbase says that the attackers should know the customer’s e-mail address, password and telephone number associated with their Coinbase account and have access to the victim’s e-mail account,” writes Bleeping Computers Lawrence Abrams wrote. “While it is unknown how the threatening actors gained access to this information, Coinbase believes it was through phishing campaigns that targeted Coinbase customers to steal credentials that have become commonplace.”

This phishing scheme is another example of how crooks come up with increasingly ingenious methods to circumvent popular multifactor authentication options, such as one-time codes. Last month, KrebsOnSecurity featured research into several new services based on Telegram-based bots that make it relatively easy for crooks to phish OTPs from targets using automated phone calls and text messaging. These OTP phishing services all assume that the customer already has the target login information. in some ways – e.g. through a phishing site like the one investigated in this story.

Knowledgeable readers here no doubt already know this, but to find the true domain referenced in a link, look to the right of “http (s): //” until you encounter the first slash (/) . The domain directly to the left of the first slash is the true destination; everything that precedes the second dot to the left of the first slash is a subdomain and should be ignored in order to determine the true domain name.

In the relevant phishing domain here – coinbase.com.password-reset[.]com – Reset password[.]com is the destination domain, and “coinbase.com” is just any password reset subdomain[.]com. However, when viewed on a mobile device, many visitors to such a domain may only see the subdomain’s portion of the URL in their mobile browser’s address bar.

The best advice to circumvent phishing scams is to avoid clicking on links that come unauthorized e-mails, text messages or other media. Most phishing scams call for a time-consuming element that warns of serious consequences if you do not respond or act quickly. If you are in doubt as to whether the message is legitimate, take a deep breath and visit that site or service manually – ideally using a browser bookmark to avoid potential typos.

Also, never provide information in response to an unsolicited phone call. It does not matter who claims to call: If you did not start the contact, hang up. Do not put them on hold while calling your bank; the scammers can also get around it. Just hang up. Then you can call your bank or wherever else you need it.

By the way, when was the last time you reviewed your multi-factor settings and options on the various sites that were entrusted with your most valuable personal and financial information? It may be worth visiting 2fa.directory (formerly twofactorauth[.]org) for control.

Leave a Comment