In this blog, we will try to shed some light on a new Coinbase phishing scheme that’s making its way around the globe with the scammers wanting to get the most information possible on their victims.

It all begins with a simple email regarding a suspicious usage of the customer’s account: 

As we already explained in a prior blog on phishing, the scammers will use psychological techniques to trick the victim – what’s known as social engineering. The usual subjects tend to be things like urgent requests from financial institutions, unusual login access alerts, anything that could rush someone to perform the action where the scammer has the trap ready.

With this Coinbase phishing example, the user should have noticed a couple of major red flags that would prevent them to fall into the hacker’s trap, such as the address of the email sender, the lack of personalization (user not referred to by name), the grammatical errors, and, most importantly, the suspicious link the soon-to-be phishing victim was being lured to click on.  (Always remember to hover over links to see what address an email is leading you to before you actually click on it). 

Graphical user interface, text, application Description automatically generated

Let’s assume that we are the victim and that we clicked on that phishing link. Now what happens?

Well, the first page that we will see looks like a real Coinbase webpage:

At first sight, it appears that the scammers want to get access to the victims Coinbase credentials. But it doesn’t stop there. If we move even further along the phishing scam, we’ll find even more dangers when we see an alert that our account has been locked: 

Of course, at this point, we – the victim – would have already released our credentials to the scammers, and so will be surprised to read that our accounts, and maybe our assets, are locked. So we click on “Verify my account.” 

On the next page, as you can see above, the cybercriminal will pursue even more personal data from its victims, who may miss more red flags: another grammatical error and a glaring typo: SIGNI instead of SIGN IN. Having missed those red flags and clicked on the “SIGNI” button, this would be the page the victim would see next:

As you can see, now is where the hacker can begin to do some real damage. They demand a lot of personal information. Information which they can then go on to use in what’s called a spear phishing attack, which is a kind of super-targeted phishing technique where the spear phishers pretend they’re a trusted source to convince victims to reveal confidential data, personal information, or other sensitive details.

Of course, it doesn’t end here. The phishing attackers are just setting the stage for what’s behind the next page, the real jackpot: your credit card information.

Once again, if the “Expired date” didn’t alert the victim to a scam going on, then you’d have freely given your credit card information, social security number and address to a hacker. 

The final coup de grace comes in the last page where the scammer requests your photo ID – front and back, of course! – for “identity verification” purposes. 

Armed with the ID photo of the victim, the scammers can now open all kinds of new accounts, credit cards, and loans, by impersonating their victims.

After collecting all the information they want from the victim, the phishing site finally offers the victim a fake reassurance that their account was successfully verified: 

And they’ll be promptly redirected to the real Coinbase site:

At this point, the innocent victim will enter their Coinbase credentials (which will work without a hitch this time), thinking that their locked account problem was solved, completely oblivious to the fact that they’ve just been scammed.

Best Practices to Avoid Being the Victim of a Phishing Attack

The best defense against phishing attacks is to stay vigilant and think twice before doing anything that seems a bit unusual or potentially suspicious. If an email contains a link to be clicked, visit the site directly instead and find the target page from there. If an attachment is unsolicited and seems suspicious, message the sender and confirm before downloading or opening it.  

If you think that you have received a phishing email, report it to the IT security team of the company the phishing email was impersonating so that they can investigate the phishing claim and respond if anyone else clicked on the email.

No one can detect every phishing email, so it’s important for companies to have security processes in place for managing potential phishing attacks.  An email security system can help to detect and block a potential phishing attack, and the use of multi-factor authentication can mitigate the impact of compromised credentials.

In the event of a successful phishing attack, it’s imperative to begin incident response as quickly as possible to minimize the damage to the victim. If you’re an organization, having a professional incident response team on-call can mean the difference between a devastating ransomware attack or data breach and a non-event. Contact the Halborn cybersecurity team at halborn@protonmail.com for more info on how we can help your organization prevent or mitigate phishing attacks.

Luis Lubeck
01.27.2022