Coinbase Users Face Ongoing Phishing Attacks


The rise in the value of cryptocurrencies has inevitably drawn the eye of criminals, and the concentration of crypto in the cryptocurrency exchanges has focused that attention. Coinbase is the largest exchange in the U.S., and researchers have detected numerous phishing campaigns against Coinbase users.

The size/value of Coinbase is impressive. It claims to have more than 56 million verified users in more than 100 countries. Its traded volume is around $335 billion, and it has $223 billion in assets on the platform.

Researchers at anti-phishing firm INKY have discovered dozens of current phishing campaigns targeting Coinbase users. In a blog post today, it describes just one designed to steal Coinbase login credentials for the theft of cryptocurrency, and financial and personal details.

This campaign uses a well-written and presented email supporting the Coinbase logo. There is little in the content to indicate a scam – no spelling errors or typos, and it uses acceptable style and grammar. The pitch differs slightly from the ‘we have detected unauthorized activity and have blocked your account’ to one saying, ‘we have actioned your request to disable your account’. Re-enabling the account requires clicking a button and re-entering credentials.

The email was sent from a hijacked email account. If targets were fooled, and clicked the presented button, they were sent to a perfect copy of the real Coinbase login page. This fake page was hosted on the website of a German roof renovation company. Compromising websites and using them to host and hide material in orphan pages is a common practice among criminals.

In this instance, the only visual giveaway that the page was false was in the browser’s link address bar (‘bedachungen-bauer[.]de’ rather than ‘coinbase[.]com/signin’). Any credentials entered into this fake page was immediately harvested and sent to the criminals.

Coinbase phishing attack

Coinbase, along with most authorities, urges users to employ two-factor authentication. INKY warns that this may not be enough. Although not used in this campaign, criminals can use man-in-the-middle attack frameworks (such as Evilginx) to capture the 2FA token sent to the phished client. Evilginx uses a Nginx HTTP server to proxy real websites to phishing victims, capturing any 2FA token that the website may send as a browser cookie to the client.

Phishing remains one of – if not the – most prolific criminal attack vectors, and phishing the user may seem a softer target than hacking the exchange. Exchange hacks, however, are not infrequent. Theft of bitcoin worth nearly $500 million led to the collapse of MtGox in 2014, which was the world’s largest exchange at the time. One conclusion was that the bitcoins were slowly pilfered from a hot wallet from 2011 to 2014.

In 2019, the Binance exchange lost 7,000 bitcoins (then worth more than $41 million), also stolen from a hot wallet.

Anti-phishing firm INKY, headquartered in Washington DC, was founded in 2008 by Dave Baggett (CEO) and Simon Smith (COO). The firm brings artificial intelligence in the form of machine learning and computer vision technology to the recognition and handling of phishing emails. In June 2020 it raised $20 million in a series B funding round, bringing total raised to date to $31.6 million.

Related: BIMI: Emerging Standard Aims to Address DMARC Shortcomings

Related: Microsoft: Ongoing, Expanding Campaign Bypassing Phishing Protections

Related: AI-Facilitated Product Aims to Stop Spear-Phishing Attacks

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:
Tags:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *