Boosting email security amid recent Coinbase phishing attempts

In recent weeks, there have been reports of sophisticated phishing attacks disguised as official communication from the cryptocurrency platform, Coinbase. These phishing emails closely mimic Coinbase’s branding and language to build recipient trust and prompt clicks on malicious links. The subject lines of these emails generally follow a format: the sender’s address starts with either info@[domain], noreply@[ domain], or contact@[domain], followed by:

  1. Action Required: [string of text]. [date and time]
  2. Please complete your Coinbase verification
  3. Restricted account — You need to complete your Coinbase verification

Red Sift’s research indicates that the attackers are forwarding these emails from Google using Google Groups. The attacker will create a domain on Google Workspace, and then email the group that was set up from the spoofed domain. By using Google’s IP reputation, lack of guardrails in Google Groups, and use of ARC, they hope to bypass spam filters.

Notably, one bad actor’s email address, traced through a reverse search, was linked to 400 domains registered since September 2024.

What is phishing? 

Phishing emails rely on a technique known as email spoofing, which involves falsifying the sender’s address to make the email appear as though it’s coming from a legitimate source. This tactic effectively deceives recipients,, making it hard for even cautious users to distinguish fraudulent emails from real ones. Bad actors masking as Coinbase make the user more likely to fall for urgent or alarming messages given the financial implications of not taking action. 

Coinbase is just one of many high-profile brands exploited for its recognition, routinely imitated for use in phishing campaigns. This prevalence underscores the urgent need for companies to take proactive measures in securing email domains against unauthorized use, ensuring that their customers aren’t exposed to increasingly sophisticated phishing scams. A comprehensive approach to email security, including advanced authentication protocols like Domain-based Message Authentication, Reporting, and Conformance (DMARC) is essential to mitigate this risk.

Implementing a DMARC policy is the first step in combating email spoofing. DMARC allows organizations to define who is authorized to send emails from their domain and specifies how to handle messages that fail authentication checks.  This is how Red Sift was able to identify the attack, after a noticeable spike in DMARC rejections from emails sent via Google. Achieving a DMARC policy of p=reject is the most secure approach, as it ensures that any unauthenticated email that fails the verification process is automatically blocked, protecting the sender and receiver. 

How Red Sift’s OnDMARC can support financial services with email security

Red Sift’s OnDMARC solution is a powerful tool for companies aiming to achieve DMARC compliance with ease and confidence. OnDMARC guides businesses through the process of setting up and optimizing their DMARC policies, helping them transition from p=none or p=quarantine to p=reject. OnDMARC simplifies this complex process, helping authorize legitimate senders while blocking fraudulent emails. This level of protection is invaluable for companies like Coinbase, which face heightened impersonation risks.

OnDMARC also provides detailed reporting and forensics, allowing companies to monitor email authentication attempts and detect any unauthorized email activity early, thereby proactively mitigating potential risks. This visibility has played a vital role in protecting Red Sift customers from phishing attacks disguised as legitimate Coinbase emails. In addition, OnDMARC also offers support for organizations at all stages of DMARC implementation, whether they’re just starting or are looking to refine an existing policy. For high-traffic domains, this service is critical in providing assurance that their emails are authenticated and that any unauthorized attempts are promptly rejected.

Today, managing cybersecurity threats requires a robust and automated approach, designed to counter the increase in phishing and spoofing attacks. Having  strengthened DMARC protection through a service like OnDMARC can significantly enhance a company’s email security posture. For financial services looking to protect their customers and maintain their brand’s reputation, OnDMARC offers a reliable and scalable solution, empowering them to stay ahead of bad actors. 

PUBLISHED BY

Jack Lilley

31 Oct. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more
Security

Securing our world: For a safer internet

Jack Lilley

October is Cybersecurity Awareness Month, a time for industries to unite in promoting digital security within today’s complex landscape. Bad actors are leveraging increasingly sophisticated methods—such as email phishing and Business Email Compromise (BEC)—to exploit vulnerabilities, impersonate legitimate contacts, and access sensitive information. CISA Director Jen Easterly advises us to “always think before you…

Read more
Cybersecurity

Boosting email security amid recent Coinbase phishing attempts

Jack Lilley

In recent weeks, there have been reports of sophisticated phishing attacks disguised as official communication from the cryptocurrency platform, Coinbase. These phishing emails closely mimic Coinbase’s branding and language to build recipient trust and prompt clicks on malicious links. The subject lines of these emails generally follow a format: the sender’s address starts with…

Read more