Coincheck, an exchange in Japan has notified that one of its domains was hijacked by hackers and they used it to send multiple emails to its users seeking information. Instantly on realisation the exchanged banned it's remittance operations while the rest of the functions continued. The report was published yesterday and it stated that the hacking began on May 31. Its account on Oname.com was hacked and the domain also confirmed the same. The primary DNS entry was modified according to a security researcher in Japan. Coincheck is yet to give out any technical details regarding the incident.
コインチェックの件、元々 NS レコードに登録されていた Amazon Route 53 のドメインにそっくりな偽ドメインが前日の 5/29 に複数登録されてますね。その後 5/30 にお名前.com で NS レコードを書き換えた模様。
(例) 本物 awsdns-61[.]org → 偽物 awsdns-061[.]org
The Japnese exchange uses Amazon DNS service and the hackers reportedly changed Oname.com back-end from awsdns-61.org with awsdns-061.org. The tampering allowed them to gain access to the Coincheck portal at Oname.com. Hackers smartly opted to not migrate the whole traffic to their new address as that would have instantly alarmed the exchange.
They instead chose to send emails to its clients asking for them to verify their details and accounts and the replies by the users were directed to the Coincheck clone created by them. It is believed almost 200 responses were received. They presented themselves as the exchange's staff to gather their details and to use it on a later date.
The exchange ultimately detected the hacking when abnormal traffic was witnessed and decided to stop its remittance operations while the rest of them like withdrawals carried on as intended. The hackers had access to the domain till 1 June and then Coincheck regained. The company states that it is not in their knowledge that they've have used any of the information to steal funds yet.
Coincheck is not new to such hijacking and was once looted of $500 million in January 2018 in what is considered the biggest crypto heist.
Articles You May Read.