Pierluigi Paganini
June 04, 2020
The Japanese cryptocurrency exchange Coincheck announced that threat actors have accessed their account at the Oname.com domain registrar and hijacked one of its domain names. Then the attackers used the hijacked domain to launch spear-phishing attacks against some of its customers.
“Approximately 12:00 on June 1, 2020, as a result of detecting an abnormality in the monitoring work and starting an investigation, from around 0:05 on May 31, 2020, in our account in “Ome.com”, It was confirmed that the domain registration information was changed by a third party. As a result of this event, it was revealed that some emails received from customers during the period from May 31 to June 1, 2020 could be illegally obtained by a third party.” reads a press release published by the company.
“The domain registration information has been amended at around 20:52 on June 1, 2020, and there is no impact on the customer’s assets at this time.”
The company only halted remittance operations while other operations, including deposits and withdrawals, have not been suspended.
The attack took place between May 31 and June 1, when hackers gained access to Coincheck’s account at Oname.com and attempted to contact the customers of the platform. Coincheck detected the security breach after observing traffic abnormalities, it also confirmed that approximately 200 customers have been impacted in the security incident.
Oname.com also confirmed the incident in a separate advisory about issues in Name.com Navi customer’s domain and server management tool.
“There was a case where the management screen of the customer who used Ome.com was accessed illegally and the registered information was rewritten. After investigating this, a malicious third party was able to use your ID and the bug (*) that could alter the communication on your name.com Navi. It turned out that the information (email address) was rewritten.” reads the advisory published by Oname.com. “The bug of “Omename.com Navi” will be fixed on June 2nd.”
According to the Japanese security expert Masafumi Negishi, threat actors modified the primary DNS entry for the coincheck.com domain.
コインチェックの件、元々 NS レコードに登録されていた Amazon Route 53 のドメインにそっくりな偽ドメインが前日の 5/29 に複数登録されてますね。その後 5/30 にお名前.com で NS レコードを書き換えた模様。
— Masafumi Negishi (@MasafumiNegishi) June 3, 2020
(例) 本物 awsdns-61[.]org → 偽物 awsdns-061[.]org
Coincheck uses Amazon’s managed DNS service, the attackers first registered a fake domain to the AWS server and replaced the legitimate awsdns-61.org with awsdns-061.org. The two domain names differ for an extra 0 prefixed to 61.
Information that may have been leaked in the security breach is the email address written in the recipient and information written in the customer’s email.
Attackers sent spear-phishing messages to some users posing as the coincheck.com domain and redirecting the replies of the customers to the servers under their control.
The spear-phishing messages likely instructed users to verify their account information, then the attackers were planning to use this data to take over the customers’ accounts and siphon their funds.
At the time of publishing this post, the company is not aware of abuses of information obtained with spare-phishing attacks either of the theft of customers’ funds.
In January 2018 Coincheck was hacked and attackers stole $400 million.
A few days after the hack, the company announced it will refund about $400 million to customers after the hack. Coincheck will use its own funds to reimburse about 46.3 billion yen to its 260,000 customers who were impacted by the cyberheist.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – coincheck, cybersecurity)
[adrotate banner=”5″]
[adrotate banner=”13″]
