Fake Coinbase Email Scam | Bitcointalksearch.org

Cyrus

administrator

Activity: 4004

Merit: 3219

Duplicate post. Please continue discussion here: https://bitcointalksearch.org/topic/coinbase-investment-fund-email-1017900

cassini

member

Activity: 112

Merit: 10

Quote from: kseistrup on April 08, 2015, 02:54:56 PM

but the email headers are well forged.

Coinbase's Sendgrid account (their backup mail system) had been compromised, see
https://www.reddit.com/r/Bitcoin/comments/31wjt7/coinbase_scam_email_alert/

bernard75

legendary

Activity: 1316

Merit: 1003

Quote from: kseistrup on April 08, 2015, 02:54:56 PM

Also, why do they ask me to send my investments to a Blockchain account?

What makes you think these are blockchain accounts?
You can generate a QR code through BC by simply adjusting the address: https://blockchain.info/qr?data=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&size=400

Deathwing

legendary

Activity: 1638

Merit: 1329

Stultorum infinitus est numerus

Quick tip;

If it says "youremail before @, bla bla bla bla" it's probably spam, always hover over link if you aren't sure if it's legit or not, for example a blockchain link can be seen like blokchain.info, make sure to double check the address.

kseistrup

hero member

Activity: 566

Merit: 500

Unselfish actions pay back better

PS: The important thing here is that e.g. Gmail doesn't mark these emails as spam because both SPF and DKIM are legitimate. Even the reverse DNS is correct (because of the Sendgrid relation). The only thing about the email headers that gives this away is the Digital Ocean address.

(Of course the email is a blatant scam — I mean, if Coinbase could do a 50% profit in just 10 days they wouldn't need my money in the first place. Also, why do they ask me to send my investments to a Blockchain account? — but the email headers are well forged.)

kseistrup

hero member

Activity: 566

Merit: 500

Unselfish actions pay back better

Quote from: cconrad0825 on April 08, 2015, 02:38:11 PM

Thanks for the follow up info kseistrup. Is there a thread already about how you got that so other's can do it for this and other suspicious emails?

Not really, I just looked in the raw email headers (the first two code sections), and did a “whois” lookup of the offending email address. I don't know about Windows, but mostly anyone on Linux should be able to do that easily.

cconrad0825

newbie

Activity: 5

Merit: 0

Thanks for the follow up info kseistrup. Is there a thread already about how you got that so other's can do it for this and other suspicious emails?

kseistrup

hero member

Activity: 566

Merit: 500

Unselfish actions pay back better

I got one, too.

The bad thing is that sender has managed to get SPF and DKIM right because the email has been sent through Sendgrid:

Code:

Received: from o1.em.coinbase.com (o1.em.coinbase.com. [50.31.37.137])

Code:

Received: from o1.em.coinbase.com (o1.em.coinbase.com. [50.31.37.137])
        by mx.google.com with ESMTPS id p13si266962icl.54.2015.04.08.11.49.44
        for 
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 08 Apr 2015 11:49:44 -0700 (PDT)
Received-SPF: pass (google.com domain of {UNDISCLOSED}@em.coinbase.com designates 50.31.37.137 as permitted sender) client-ip=50.31.37.137;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of {UNDISCLOSED}@em.coinbase.com designates 50.31.37.137 as permitted sender) smtp.mail={UNDISCLOSED}@em.coinbase.com;
       dkim=pass [email protected];
       dmarc=pass (p=REJECT dis=NONE) header.from=coinbase.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=coinbase.com; 
	h=content-type:mime-version:content-transfer-encoding:from:to:subject; 
	s=smtpapi; bh=mzFmpzK4RGa5/BW6ukZz8pgNqs8=; b=QCxwr642hzexeNV19i
	R8Ui1ESMG1QJ7dvii3StPST9nuFdztnrXSdsWSt1x8W6x4cYgSmAgJ0QhSDwFyPP
	Jmer3WqyWbTm5lh3QWJDnlgEtAtJPJIh7tXvhsIwl/s/Y2uaurdhdso5f6/A8HMw
	zf99DP+mHtG+msY/S2ycwCYZE=

Real sender is probably

Code:

Received: from MTYwNDc2NQ (unknown [5.101.100.198])

which is a DigitalOcean customer.

daviducsb

full member

Activity: 155

Merit: 100

I got one too. newbies beware!

cconrad0825

newbie

Activity: 5

Merit: 0

I got this today from [email protected]. BEWARE. Obvious scam afloat

Quote

In This Issue:
Get 150% profit with Coinbase Invest Fund

Dear cconrad0825,

We're happy to announce a new product - Coinbase Invest Fund, reliable platform for
small and medium scale investments. Fund assets are diversified among emerging Forex
positions at Coinbase Exchange. Deposits are risk-free insured by institutions such as the New
York Stock Exchange.

Want to become a professional investor?
Our first short-term investment program starts today - GET 150% FOR A 10-DAY DEPOSIT.

Investment offer is active from 20th of April 12:00 AM Pacific until 30th of April.
Coinbase offers you a fixed return with a 50% growth for a 10 day period.
You can deposit today from $100. Maximum deposit amount per one person
or legal entity is 60 Bitcoins. That's an astonishing opportunity to earn up to $8,500 per 10 days!

Investors who want to apply, please make a deposit to

19myGCgPiNgcGZMVUHZGNQo3QmSkJUsNEJ or click the link below
https://blockchain.info/qr?data=19myGCgPiNgcGZMVUHZGNQo3QmSkJUsNEJ&size=400

Once a payment is made you will get an e-mail about successful participation.
Please note: Initial deposit amounts exceeding +30 Bitcoins will qualify your membership for a 2nd level upgrade.

We will return your initial deposit with dividends on 1st of May, 2015 12:00 AM Pacific Time.
(for example: investing 10 Bitcoins today will return 15 Bitcoins in a 10 day period)
Profits are withdrawn without any delay and Coinbase waives all fees for 1st level investments.

Hurry up! This is a limited, one-time opportunity.

Kind regards,
The Coinbase Invest Fund Team

Do not reply to this e-mail

Topic: Fake Coinbase Email Scam (Read 789 times)