Hacking

Hackers hijacked Coincheck ‘s domain registrar account and targeted some users

Hackers hijacked one of the domains of the Japanese cryptocurrency exchange Coincheck and used it for spear-phishing attacks.

The Japanese cryptocurrency exchange Coincheck announced that threat actors have accessed their account at the Oname.com domain registrar and hijacked one of its domain names. Then the attackers used the hijacked domain to launch spear-phishing attacks against some of its customers.

“Approximately 12:00 on June 1, 2020, as a result of detecting an abnormality in the monitoring work and starting an investigation, from around 0:05 on May 31, 2020, in our account in “Ome.com”, It was confirmed that the domain registration information was changed by a third party. As a result of this event, it was revealed that some emails received from customers during the period from May 31 to June 1, 2020 could be illegally obtained by a third party.” reads a press release published by the company.

“The domain registration information has been amended at around 20:52 on June 1, 2020, and there is no impact on the customer’s assets at this time.”

The company only halted remittance operations while other operations, including deposits and withdrawals, have not been suspended.

The attack took place between May 31 and June 1, when hackers gained access to Coincheck’s account at Oname.com and attempted to contact the customers of the platform. Coincheck detected the security breach after observing traffic abnormalities, it also confirmed that approximately 200 customers have been impacted in the security incident.

Oname.com also confirmed the incident in a separate advisory about issues in Name.com Navi customer’s domain and server management tool.

“There was a case where the management screen of the customer who used Ome.com was accessed illegally and the registered information was rewritten. After investigating this, a malicious third party was able to use your ID and the bug (*) that could alter the communication on your name.com Navi. It turned out that the information (email address) was rewritten.” reads the advisory published by Oname.com. “The bug of “Omename.com Navi” will be fixed on June 2nd.”

According to the Japanese security expert Masafumi Negishi, threat actors modified the primary DNS entry for the coincheck.com domain.

Coincheck uses Amazon’s managed DNS service, the attackers first registered a fake domain to the AWS server and replaced the legitimate awsdns-61.org with awsdns-061.org. The two domain names differ for an extra 0 prefixed to 61.

Information that may have been leaked in the security breach is the email address written in the recipient and information written in the customer’s email.

Attackers sent spear-phishing messages to some users posing as the coincheck.com domain and redirecting the replies of the customers to the servers under their control.

The spear-phishing messages likely instructed users to verify their account information, then the attackers were planning to use this data to take over the customers’ accounts and siphon their funds.

At the time of publishing this post, the company is not aware of abuses of information obtained with spare-phishing attacks either of the theft of customers’ funds.

In January 2018 Coincheck was hacked and attackers stole $400 million.

A few days after the hack, the company announced it will refund about $400 million to customers after the hack. Coincheck will use its own funds to reimburse about 46.3 billion yen to its 260,000 customers who were impacted by the cyberheist.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – coincheck, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

10 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.