Coinbase Phishing zG3nVT0g

Detects Coinbase recovery phrase scam websites. Often hosted on Glitch (https://glitch.com/).

References

https://urlscan.io/result/68d77307-6932-4eae-b7b0-ca8157b2a50f/
https://urlscan.io/result/bdf5c218-896f-4e17-b5ef-2b67f80041e2/
https://urlscan.io/result/4a5ee737-6cf8-4028-9bfc-4e93afbe6627/

IOK Rule (edit)

title: Coinbase Phishing zG3nVT0g
description: Detects Coinbase recovery phrase scam websites. Often hosted on Glitch (https://glitch.com/).

references:
    - https://urlscan.io/result/68d77307-6932-4eae-b7b0-ca8157b2a50f/
    - https://urlscan.io/result/bdf5c218-896f-4e17-b5ef-2b67f80041e2/
    - https://urlscan.io/result/4a5ee737-6cf8-4028-9bfc-4e93afbe6627/

detection:
  imageFile:
    # This image file is used on a lot of Coinbase scams in their forms.
    html|contains: 'https://i.postimg.cc/zG3nVT0g/cb675.png'

  condition: imageFile

tags:
    - target.coinbase
    - cryptocurrency