Detects a cloned version of the Coinbase website from the past
that uses the same amplitude.js API key as well as the same
Google Site Verification keys, they used to use.
title: Coinbase Phishing Kit cf711368
description: |
Detects a cloned version of the Coinbase website from the past
that uses the same `amplitude.js` API key as well as the same
Google Site Verification keys, they used to use.
references:
- https://urlscan.io/result/cf711368-757f-4ed2-b45b-47849e93c2c7
- https://urlscan.io/result/85d74c2c-b751-4f99-8888-c73518b38919
detection:
googleSiteVerificationKeyOne:
html|contains: 'R7G5THr8xgaHFkTNkr_RUB0HvX2Nf8e4qnWi0X1kmz8'
googleSiteVerificationKeyTwo:
html|contains: '_GaQTkOlc8tLwxDbZfMdxgGPL5wnctrp-vfeavJVsHE'
amplitudeJSKey:
js|contains: '132e62b5953ce8d568137d5887b6b7ab'
condition: googleSiteVerificationKeyOne and googleSiteVerificationKeyTwo and amplitudeJSKey
tags:
- kit
- target.coinbase