Crooks are growing smarter about phishing one-time passwords (OTPs) needed to complete the login process, as seen by a recent phishing campaign targeting Coinbase customers. It also reveals that phishers are attempting to create millions of new Coinbase accounts in order to find email addresses that are already associated with current accounts.
With over 68 million users from over 100 countries, Coinbase is the world's second-largest cryptocurrency exchange. Coinbase.com.password-reset[.]com was the now-defunct phishing domain, and it was aimed towards Italian Coinbase users (the site's default language was Italian). According to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security, it was a success. Holden's team was able to go inside some of the phishing site's poorly concealed file directories, including the administrator page. Before the site was taken down, the phishing attacks collected at least 870 sets of credentials, according to that panel.
According to Holden, the phishing gang appears to have identified Italian Coinbase customers by attempting to create new accounts using more than 2.5 million Italian email addresses. His team was also able to recover the username and password information that victims had supplied to the site, as well as nearly all of the email addresses that had been submitted ending in ".it."
According to Holden's research, this phishing group attempted hundreds of thousands of half-hearted account signups per day. On Oct. 10, for example, the scammers ran over 216,000 email addresses through Coinbase's servers. They attempted to register 174,000 new Coinbase accounts the next day.
Coinbase revealed last month that malicious hackers stole cryptocurrency from 6,000 clients after exploiting a flaw in the company's SMS multi-factor authentication security tool. This phishing attempt is another example of how criminals are devising ever-more clever ways to get around popular multi-factor authentication alternatives like one-time passwords.
In an emailed statement, Coinbase said, “Like all major online platforms, Coinbase sees attempted automated attacks performed on a regular basis. Coinbase is able to automatically neutralize the overwhelming majority of these attacks, using a mixture of in-house machine learning models and partnerships with industry-leading bot detection and abuse prevention vendors. We continuously tune these models to block new techniques as we discover them."
Researchers say the simplest way to avoid phishing scams is to avoid clicking on links that appear unexpectedly in emails, text messages, or other forms of media. They also advised that you should never give out personal information in response to an unsolicited phone call.
