Author

Topic: Fake Coinbase Email Scam (Read 781 times)

administrator
Activity: 3962
Merit: 3162
April 08, 2015, 06:45:43 PM
#10
Duplicate post. Please continue discussion here: https://bitcointalksearch.org/topic/coinbase-investment-fund-email-1017900
member
Activity: 112
Merit: 10
April 08, 2015, 06:42:42 PM
#9
but the email headers are well forged.
Coinbase's Sendgrid account (their backup mail system) had been compromised, see
https://www.reddit.com/r/Bitcoin/comments/31wjt7/coinbase_scam_email_alert/
legendary
Activity: 1316
Merit: 1003
April 08, 2015, 05:33:26 PM
#8
Also, why do they ask me to send my investments to a Blockchain account?

What makes you think these are blockchain accounts?
You can generate a QR code through BC by simply adjusting the address: https://blockchain.info/qr?data=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&size=400
legendary
Activity: 1638
Merit: 1329
Stultorum infinitus est numerus
April 08, 2015, 04:46:48 PM
#7
Quick tip;

If it says "youremail before @, bla bla bla bla" it's probably spam, always hover over link if you aren't sure if it's legit or not, for example a blockchain link can be seen like blokchain.info, make sure to double check the address.
hero member
Activity: 566
Merit: 500
Unselfish actions pay back better
April 08, 2015, 02:54:56 PM
#6
PS: The important thing here is that e.g. Gmail doesn't mark these emails as spam because both SPF and DKIM are legitimate.  Even the reverse DNS is correct (because of the Sendgrid relation).  The only thing about the email headers that gives this away is the Digital Ocean address.

(Of course the email is a blatant scam — I mean, if Coinbase could do a 50% profit in just 10 days they wouldn't need my money in the first place. Also, why do they ask me to send my investments to a Blockchain account? — but the email headers are well forged.)
hero member
Activity: 566
Merit: 500
Unselfish actions pay back better
April 08, 2015, 02:50:10 PM
#5
Thanks for the follow up info kseistrup. Is there a thread already about how you got that so other's can do it for this and other suspicious emails?

Not really, I just looked in the raw email headers (the first two code sections), and did a “whois” lookup of the offending email address.  I don't know about Windows, but mostly anyone on Linux should be able to do that easily.
newbie
Activity: 5
Merit: 0
April 08, 2015, 02:38:11 PM
#4
Thanks for the follow up info kseistrup. Is there a thread already about how you got that so other's can do it for this and other suspicious emails?
hero member
Activity: 566
Merit: 500
Unselfish actions pay back better
April 08, 2015, 02:33:30 PM
#3
I got one, too.

The bad thing is that sender has managed to get SPF and DKIM right because the email has been sent through Sendgrid:

Code:
Received: from o1.em.coinbase.com (o1.em.coinbase.com. [50.31.37.137])

Code:
Received: from o1.em.coinbase.com (o1.em.coinbase.com. [50.31.37.137])
        by mx.google.com with ESMTPS id p13si266962icl.54.2015.04.08.11.49.44
        for
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 08 Apr 2015 11:49:44 -0700 (PDT)
Received-SPF: pass (google.com domain of {UNDISCLOSED}@em.coinbase.com designates 50.31.37.137 as permitted sender) client-ip=50.31.37.137;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of {UNDISCLOSED}@em.coinbase.com designates 50.31.37.137 as permitted sender) smtp.mail={UNDISCLOSED}@em.coinbase.com;
       dkim=pass [email protected];
       dmarc=pass (p=REJECT dis=NONE) header.from=coinbase.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=coinbase.com;
h=content-type:mime-version:content-transfer-encoding:from:to:subject;
s=smtpapi; bh=mzFmpzK4RGa5/BW6ukZz8pgNqs8=; b=QCxwr642hzexeNV19i
R8Ui1ESMG1QJ7dvii3StPST9nuFdztnrXSdsWSt1x8W6x4cYgSmAgJ0QhSDwFyPP
Jmer3WqyWbTm5lh3QWJDnlgEtAtJPJIh7tXvhsIwl/s/Y2uaurdhdso5f6/A8HMw
zf99DP+mHtG+msY/S2ycwCYZE=

Real sender is probably

Code:
Received: from MTYwNDc2NQ (unknown [5.101.100.198])

which is a DigitalOcean customer.
full member
Activity: 155
Merit: 100
April 08, 2015, 02:25:44 PM
#2
I got one too. newbies beware!
newbie
Activity: 5
Merit: 0
April 08, 2015, 02:13:20 PM
#1
I got this today from [email protected]. BEWARE. Obvious scam afloat

Quote
In This Issue:
        Get 150% profit with Coinbase Invest Fund

Dear cconrad0825,

We're happy to announce a new product - Coinbase Invest Fund, reliable platform for
small and medium scale investments. Fund assets are diversified among emerging Forex
positions at Coinbase Exchange. Deposits are risk-free insured by institutions such as the New
York Stock Exchange.

Want to become a professional investor?
Our first short-term investment program starts today - GET 150% FOR A 10-DAY DEPOSIT.

Investment offer is active from 20th of April 12:00 AM Pacific until 30th of April.
Coinbase offers you a fixed return with a 50% growth for a 10 day period.
You can deposit today from $100. Maximum deposit amount per one person
or legal entity is 60 Bitcoins. That's an astonishing opportunity to earn up to $8,500 per 10 days!

Investors who want to apply, please make a deposit to

         19myGCgPiNgcGZMVUHZGNQo3QmSkJUsNEJ or click the link below
         https://blockchain.info/qr?data=19myGCgPiNgcGZMVUHZGNQo3QmSkJUsNEJ&size=400

Once a payment is made you will get an e-mail about successful participation.
Please note: Initial deposit amounts exceeding +30 Bitcoins will qualify your membership for a 2nd level upgrade.

We will return your initial deposit with dividends on 1st of May, 2015 12:00 AM Pacific Time.
(for example: investing 10 Bitcoins today will return 15 Bitcoins in a 10 day period)
Profits are withdrawn without any delay and Coinbase waives all fees for 1st level investments.

Hurry up! This is a limited, one-time opportunity.

Kind regards,
The Coinbase Invest Fund Team

Do not reply to this e-mail
Jump to: