How Coinbase Phishers steals one-time passwords

An anonymous reader quotes a Krebs report on security: Recent phishing campaign targeting Coinbase users shows thieves are get smarter about the phishing one-time (OTP) passwords needed to complete the login process. It also shows that phishers are trying to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses already associated with active accounts. Coinbase is the second largest cryptocurrency exchange in the world, with around 68 million users in over 100 countries. The now defunct phishing domain involved –[.]com – targeted Italian Coinbase users (the site’s default language was Italian). And it’s been quite successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.

The Holden team managed to scan some poorly hidden file directories associated with this phishing site, including its administration page. This sign, shown in the screenshot written below, indicated that phishing attacks generated at least 870 sets of credentials before the site was taken offline. Holden said that whenever a new victim submitted credentials to Coinbase’s phishing site, the administrative panel would “ding” loudly – presumably to alert whoever was at the keyboard on the other end of this phishing scam he had one live on the hook. In each case, phishers manually pressed a button that caused the phishing site to ask visitors for more information, such as their one-time password for their mobile app. “These guys have real-time capabilities to solicit any victim input they need to access their Coinbase account,” Holden said. By pressing the “Send Info” button, visitors were asked to provide additional personal information, including name, date of birth and mailing address. Armed with the target’s mobile number, they could also click on “Send verification SMS” with a text message inviting them to resend a one-time code via SMS.

Holden said the phishing group appears to have identified Italian Coinbase users by attempting to create new accounts under the email addresses of more than 2.5 million Italians. His team was also successful in recovering the username and password data victims submitted to the site, and virtually all email addresses submitted ended with “.it”. But the phishers in this case probably weren’t interested in registering accounts. On the contrary, the bad guys figured out that any attempt to sign up using an email address linked to an existing Coinbase account would fail. After doing this several million times, the phishers would then take the email addresses that failed to register new accounts and target them with Coinbase-themed phishing emails. Holden’s data shows that this phishing gang made hundreds of thousands of half-hearted account registration attempts on a daily basis. For example, on October 10, crooks verified over 216,000 email addresses against Coinbase’s systems. The next day, they attempted to register 174,000 new Coinbase accounts.

How Coinbase Phishers steals one-time passwords

Source link How Coinbase Phishers steals one-time passwords

Back to top button