Coinbase clone generic

Detects a cloned version of the Coinbase website from the past that uses the same amplitude.js API key as well as the same Google Site Verification keys, they used to use.

References

Recent Detections

  • hxxps://vps26547[.]inmotionhosting[.]com/~meronepal/wp-includes/...
  • hxxps://mapa-mn[.]com/conchi/Coinbase%20-%20Buy_Sell%20Cryptocur...
  • hxxps://coinbase-accounts-unauthorizeds[.]com/verify/otp.php
  • hxxps://coinbase-identify-able[.]com/verify/otp.php
  • hxxps://coinbase-transaction-suspicious[.]com/verify/otp.php
  • hxxps://coinbase-verification-updates[.]com/verify/otp.php
  • hxxps://vps67084[.]inmotionhosting[.]com/~bodyspec/wp-includes/c...
  • hxxps://coinbase[.]capital160[.]com/coinbase.com/password/change...
  • hxxps://www[.]capital160[.]com/coinbase/coinbase.com/password/ch...
  • hxxp://trustest[.]epizy[.]com?i=2

IOK Rule (edit)

title: Coinbase clone generic
description: |
    Detects a cloned version of the Coinbase website from the past 
    that uses the same `amplitude.js` API key as well as the same 
    Google Site Verification keys, they used to use.
    
references:
  - https://urlscan.io/result/cf711368-757f-4ed2-b45b-47849e93c2c7
  - https://urlscan.io/result/85d74c2c-b751-4f99-8888-c73518b38919

detection:

  googleSiteVerificationKeyOne:
    html|contains: 'R7G5THr8xgaHFkTNkr_RUB0HvX2Nf8e4qnWi0X1kmz8'

  googleSiteVerificationKeyTwo:
    html|contains: '_GaQTkOlc8tLwxDbZfMdxgGPL5wnctrp-vfeavJVsHE'

  amplitudeJSKey:
    js|contains: '132e62b5953ce8d568137d5887b6b7ab'
    
  condition: googleSiteVerificationKeyOne and googleSiteVerificationKeyTwo and amplitudeJSKey