How Coinbase Phishers steals one-time passwords – Krebs on security


A recent phishing campaign targeting Coinbase users show that thieves are getting smarter about the phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are trying to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses already associated with active accounts.

A Google-translated version of the now defunct Coinbase phishing site,[.]com

Coinbase is the second largest cryptocurrency exchange in the world, with around 68 million users in over 100 countries. The now defunct phishing domain involved –[.]com – targeted Italian Coinbase users (the site’s default language was Italian). And it was quite successful, according to Alex holden, founder of the Milwaukee-based cybersecurity company Maintain security.

The Holden team managed to scan some poorly hidden file directories associated with this phishing site, including its administration page. This sign, shown in the screenshot written below, indicated that phishing attacks generated at least 870 sets of credentials before the site was taken offline.

The Coinbase Phishing Panel.

Holden said that whenever a new victim submitted credentials to Coinbase’s phishing site, the administrative panel would “ding” loudly – presumably to alert whoever was at the keyboard on the other end. of this phishing scam he had a live one hooking it up.

In each case, phishers manually pressed a button that caused the phishing site to ask visitors for more information, such as their one-time password for their mobile app.

“These guys have real-time capabilities to solicit any victim input they need to access their Coinbase account,” Holden said.

By pressing the “Send Info” button, visitors were asked to provide additional personal information, including name, date of birth and address. Armed with the target’s mobile number, they could also click “Send Verification SMS” with a text message prompting them to resend a one-time code.


Holden said the phishing group appears to have identified Italian Coinbase users by attempting to create new accounts under the email addresses of more than 2.5 million Italians. His team was also successful in recovering the username and password data victims submitted to the site, and virtually all email addresses submitted ended with “.it”.

But the phishers in this case probably weren’t interested in registering accounts. On the contrary, the bad guys figured out that any attempt to sign up using an email address linked to an existing Coinbase account would fail. After doing this several million times, the phishers would then take the email addresses that failed to register new accounts and target them with Coinbase-themed phishing emails.

Holden’s data shows that this phishing gang made hundreds of thousands of half-hearted account registration attempts on a daily basis. For example, on October 10, crooks verified over 216,000 email addresses against Coinbase’s systems. The next day, they attempted to register 174,000 new Coinbase accounts.

In an email statement shared with KrebsOnSecurity, Coinbase said it takes “extensive security measures to ensure that our platform and customer accounts remain as secure as possible.” Here is the rest of their statement:

“Like all major online platforms, Coinbase regularly sees attempted automated attacks. Coinbase is able to automatically neutralize the overwhelming majority of these attacks, using a mix of internal machine learning models and partnerships with leading bot detection and abuse prevention providers. We are continually adjusting these patterns to block new techniques as we discover them. Coinbase’s Threat Intelligence and Trust & Safety teams are also working to monitor new automated abuse techniques, develop and apply mitigation measures, and aggressively pursue withdrawals against malicious infrastructure. We recognize that attackers (and attack techniques) will continue to evolve, which is why we are taking a tiered approach to tackling automated abuse.

Last month Coinbase disclosed that malicious hackers stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature.

“To carry out the attack, Coinbase says that attackers had to know the customer’s email address, password and phone number associated with their Coinbase account and have access to the victim’s email account,” Bleeping Computer said. Laurent Abrams wrote. “While it is not known how the threat actors gained access to this information, Coinbase believes it was through phishing campaigns targeting Coinbase customers to steal account credentials, which have become common. “

This phishing scheme is another example of how crooks are coming up with increasingly ingenious methods to bypass popular multi-factor authentication options, such as one-time passwords. Last month KrebsOnSecurity highlighted research into several new Telegram-based bot-based services that allow crooks to easily phish OTPs from targets using automated phone calls and text messages. via a phishing site like the one examined in this story.

Sophisticated readers may already know this, but to find the actual domain that is referenced in a link, look to the right of “http (s): //” until you encounter the first forward slash (/). The area directly to the left of this first slash is the real destination; anything before the second dot to the left of that first slash is a subdomain and should be ignored to determine the real domain name.

In the area of ​​phishing involved here –[.]com – Reset password[.]com is the destination domain, and “” is just an arbitrary password reset subdomain[.]com. However, when viewed on a mobile device, many visitors to such a domain may only see the subdomain portion of the URL in the address bar of their mobile browser.

The best tip for avoiding phishing scams is to avoid clicking on links that spontaneously arrive in emails, texts, or other media. Most phishing scams invoke a temporal element that warns of dire consequences if you don’t respond or act quickly. If you are unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually – ideally, using a browser bookmark to avoid potential typosquatting sites.

Also, never provide information in response to an unsolicited phone call. It doesn’t matter who claims to be calling: if you haven’t initiated the contact, hang up. Don’t put them on hold while you call your bank; crooks can get around this too. Hang up. Then you can call your bank or wherever you need it.

By the way, when was the last time you looked at your settings and multi-factor options on the various websites loaded with your most valuable personal and financial information? It might be worth a visit (formerly twofactorauth[.]org) for a check.


Leave A Reply