Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

How Coinbase Phishers Steal One-Time Passwords (krebsonsecurity.com) 9

An anonymous reader quotes a report from from Krebs on Security: A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts. Coinbase is the world's second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue -- coinbase.com.password-reset[.]com -- was targeting Italian Coinbase users (the site's default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.

Holden's team managed to peer inside some poorly hidden file directories associated with that phishing site, including its administration page. That panel, pictured in the redacted screenshot below, indicated the phishing attacks netted at least 870 sets of credentials before the site was taken offline. Holden said each time a new victim submitted credentials at the Coinbase phishing site, the administrative panel would make a loud "ding" -- presumably to alert whoever was at the keyboard on the other end of this phishing scam that they had a live one on the hook. In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app. "These guys have real-time capabilities of soliciting any input from the victim they need to get into their Coinbase account," Holden said. Pressing the "Send Info" button prompted visitors to supply additional personal information, including their name, date of birth, and street address. Armed with the target's mobile number, they could also click "Send verification SMS" with a text message prompting them to text back a one-time code.

Holden said the phishing group appears to have identified Italian Coinbase users by attempting to sign up new accounts under the email addresses of more than 2.5 million Italians. His team also managed to recover the username and password data that victims submitted to the site, and virtually all of the submitted email addresses ended in ".it." But the phishers in this case likely weren't interested in registering any accounts. Rather, the bad guys understood that any attempts to sign up using an email address tied to an existing Coinbase account would fail. After doing that several million times, the phishers would then take the email addresses that failed new account signups and target them with Coinbase-themed phishing emails. Holden's data shows this phishing gang conducted hundreds of thousands of halfhearted account signup attempts daily. For example, on Oct. 10 the scammers checked more than 216,000 email addresses against Coinbase's systems. The following day, they attempted to register 174,000 new Coinbase accounts.

This discussion has been archived. No new comments can be posted.

How Coinbase Phishers Steal One-Time Passwords

Comments Filter:
  • by Anonymouse Cowtard ( 6211666 ) on Wednesday October 13, 2021 @07:26PM (#61889831) Homepage
    So they are saying that they can't stop bots from attempting to sign up? This appears trivial to mitigate. Wtf are they doing?
  • Any site that uses email address as user name can be targeted by this scheme to harvest email ids of account holders. Usually banks and brokerages ask you to create user names, they do not let you use email id or phone numbers as user names. So far so good.

    But if the site allows multiple ways to sign in, they might leak my email id.

    Troubling.

    • by xalqor ( 6762950 ) on Wednesday October 13, 2021 @09:21PM (#61890045)

      Simple fix -- when a user tries to sign up, you ask their email address, then you immediately send a verification email. Doesn't matter if it already exists in the system or not. Then, *after* they verify it, you can proceed to set up a new account or inform them that they already have an account and proceed to account recovery if they need it.

      Some sites wouldn't want to do that because they're all about the sales and don't want anything to get in the way of a new sign up... Their perspective is that every extra step is a possibility to lose a new user. But sites that have valuable assets in accounts, it should be protecting their users privacy, should definitely do it the more secure way to protect their existing users.

    • Not "ANY" site, just sites that haven't put thought into their signup process. It is easy to counter this type of a attack by for example putting the email verification prior to telling them they already have an account or account signup fail.
      • Similar to "password reset", isn't this attack trivially neutered by not telling the user anything about the success or failure of signup directly on the web interface?
        • Yep, these are areas where not providing error messages or information as direct feedback is a good thing. It can also be important to provide consistent timing of processing both success and errors even if giving no feedback in the response.
  • Just go be safe, I just deleted all financial info from Coinbase which @ $0 anyway BUT gone !

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...