“The price that this person paid blows me away,” said Zack Allen, an expert at cybersecurity company ZeroFox.
The high price paid for the Web addresses, sometimes called domains, indicates someone thinks they’ll make a substantial profit. Domains ending in dot-com cost around $10 per year and scammers often rely on ones that are even cheaper.
“There’s a very real monetization opportunity,” said Nick Nikiforakis, a computer science professor at Stony Brook University who has studied phishing — the technique of using look-alike websites to steal passwords. “If someone steals your credentials, they can immediately start transferring your money out of your account.”
And, if they do, users have no recourse, Nikiforakis said, especially because they’ve lost cryptocurrency, rather than regular money. Cryptocurrency, a form of digital money that has lately soared in price, relies on cryptography to make sure that only the owner of a “wallet” can spend the money it contains. But, once that wallet is stolen, that security works to protect the thief, meaning it’s nearly impossible to get it back — even with a court order.
It is unclear whether cryptocurrency owners have lost money to the typo websites.
But last month, Coinbase announced 6,000 of its customers had their cryptocurrency stolen through a phishing attack, in which fake log-in pages are used to steal passwords. The attack took advantage of a “flaw” in Coinbase’s two-factor authentication security system, the company said. Coinbase said it reimbursed the customers, though it didn’t say how much was lost. There’s no known link between that attack on Coinbase’s customers and conibase.com.
The man with a Brazilian address who bought the domains between November and February didn’t respond to requests for comment from The Washington Post sent in English and Portuguese via email and WhatsApp. It’s not clear if he still controls the domain names or has sold them to others.
Coinbase and Blockchain.com each confirmed that neither company owned the conibase.com, wwwblockchain.com, hlockchain.com or blpckchain.com URLs. Likewise, Coinbase said it didn’t own any of the numerous other variants of Coinbase’s name linked to security certificates and a server shared with conibase.com, discovered via data from ZeroFox and DomainTools, another cybersecurity company.
Nevertheless, when The Post visited conibase.com and wwwblockchain.com, they showed copies of Coinbase and Blockchain.com’s sites, respectively.
“We take the safety of our millions of global users very seriously and remove hundreds of phishing campaigns per month, educate our users regularly, and conduct 24/7 monitoring,” Blockchain.com’s head of communications, Brooks Wallace, told The Post in a statement.
It’s not clear why the domains imitating the cryptocurrency exchanges weren’t detected by security teams at Coinbase or Blockchain.com and taken down in the months since they were purchased. Coinbase and Blockchain.com both requested that domains imitating their websites be taken down.
The ownership of website addresses — let alone sale prices — is usually not public. However, the world is getting a peek into the world of “domain investing” through the hack of Epik. It was hacked in March; data from that hack was released in September by members of the hacking group Anonymous who highlighted Epik’s support of far-right websites.
But the bulk of Epik’s business appears not to have been the far-right, but rather domain investors. Legitimate domain investors buy domain names — often for around $10 for dot-com Web addresses, sometimes less for other suffixes — and then flip them to someone who wants to use them. Sometimes short or particularly memorable Web addresses can sell for huge sums, like HealthInsurance.com, which sold for more than $8 million dollars in 2019 to a company that markets health insurance plans. Short domain names often sell for thousands. Companies often buy up mistyped versions of their real Web addresses to protect against attacks like these, said Allen, whose firm ZeroFox offers to assist companies in finding and buying typo domains on their behalf.
An Epik spokesperson, replying from a generic email account, told The Post that “typodomains are a common tier of domains in the trading community.”
When investors sell domains — whether to cybercriminals or legitimate companies — they often use an escrow service to ensure that neither the buyer nor the seller is defrauding each other. Epik offered one such service, alongside its role as a domain registrar, selling the right to use a particular Web address.
According to records released in the hack, Epik served as an escrow agent for hundreds of transactions, including many legitimate ones. Epik appears to have charged a 2.5 percent fee for its escrow services — meaning it earned about $5,000 from the sale of the false cryptocurrency exchange Web addresses. The Post confirmed the authenticity of the records by checking with American purchasers of legitimate domains that the private details of the transactions shown in the leaked records were correct.
Other registrars too, not just Epik, allow domains featuring typos — including variants of Coinbase and Blockchain.com linked to the ones whose sales records were reviewed by The Post.
“We cannot control the intent that any buyers may have with individual domains,” Epik said.
Nikiforakis evaluated conibase.com at The Post’s request and said it showed telltale signs of a “phishing tool kit” that provides a ready-made way to spoof common websites, and for which pre-baked templates for both Coinbase and Blockchain.com are readily available online.
Despite the typo-like domains that an undexterous typer might happen upon, Allen said that the cybercriminals likely used email to attract their victims, citing mail servers that had been set up to allow emails to be sent from the Web domains.
Nikiforakis believes that such expensive domain names could be using spearphishing — a phishing campaign aimed at a small number of handpicked people. “You’re not going after me and you with a few hundred bucks in your Coinbase accounts, but people with millions of dollars in their crypto accounts,” he said.
That contrasts with the typical business model for phishing attacks, which tend to use large numbers of cheap domains, to minimize the costs of detection. “If I buy a .xyz [domain] for one dollar and I can make two dollars by the time someone blocks me, I’m ahead,” he said.
The site mimicking Coinbase was on “the more sophisticated side,” said Allen, who evaluated the Web addresses at The Post’s request. For instance, multiple typo sites were turned on around the same time. And, he said, the site tried to automatically detect bot-like visitors, sending them to Google rather than to a fake Coinbase site.
The conibase.com site utilized other tactics to avoid detection. Rather than hosting its copy of Coinbase directly on conibase.com, visitors to that site were redirected to yet another nearly identical Web address. After The Post visited that site the first time, the redirection stopped working. That sort of redirection and evasion, Nikiforakis said, lets phishing site owners exercise some control over who gets to visit their website. Hiding the fake sites is commonly used to foil investigators and screening software operated by security companies.