Hackers hijack one of Coincheck's domains for spear-phishing attacks

Hackers hijacked Coincheck's domain registrar account and then changed DNS settings.

Coincheck

Japanese cryptocurrency exchange Coincheck says hackers took control over its account at a local domain registrar and hijacked one of its domain names, which they later used to contact some of its customers.

The exchange paused remittance operations on its platform on Tuesday while it's investigating the incident. Other operations, such as withdrawals or deposits, have not been blocked.

According to an incident report published yesterday, the company said the initial attack took place on Sunday, May 31. The hackers gained access to Coincheck's account at Oname.com, the company's domain registrar provider. Oname also confirmed the incident.

While Coincheck didn't provide any technical details about the attack, Japanese security researcher Masafumi Negishi said the hackers modified the primary DNS entry for Coincheck's coincheck.com domain.

Coincheck uses Amazon's managed DNS service, meaning an Amazon DNS server was handling the operation of returning the server IP address where users' clients (browser, mobile apps, wallets) needed to connect for the coincheck.com domain.

According to Masafumi, the hacker registered a lookalike domain to the AWS server and replaced the original awsdns-61.org with awsdns-061.org (notice the extra 0 in front of 61) inside the Oname.com backend. This allowed the hacker to manage DNS queries for the Coincheck portal.

choincheck-dns.png

Hackers didn't use this access to redirect the exchange's entire web traffic to a Coincheck clone. Such an attack would have been detected right away.

Instead, hackers sent spear-phishing emails to certain users by impersonating the coincheck.com domain and redirecting email replies to their own servers.

Coincheck says it detected the attack after observing traffic abnormalities. The hackers had access over the company's domain until Monday, June 1, 20:52, Tokyo time, when the company regained access to its domain.

It's believed that hackers reached out to customers and asked them to verify account information, which they could reuse at a later date to hack accounts and steal funds.

Coincheck said that around 200 customers appear to have engaged with the hackers, believing they were communicating with official Coincheck staff.

The exchange said it had no evidence to confirm that hackers used any information they may have learned during the recent email conversations to breach accounts and to steal any funds.

Coincheck is currently ranked #39 on CoinMarketCap's list of top exchanges. The company is famous getting hacked in January 2018 and losing $500 million, the biggest crypto-heist in history.

Updated on June 4 to add that fellow Japanese cryptocurrency exchange Bitbank disclosed an identical security incident.