Beware: Coinbase Phishing scam "Review Our New User Agreement"

[Elwar]

Bah, I didn't catch that it was a phishing attempt until after I'd logged in with my password. Changed the password immediately.

I didn't notice it was a bad link until it said the page was not available. Then I looked closer at the link and it was a coinbase link with some sort of url redirect:

h ttps://www.coinbase.com/sessions/oauth_signin?client_id=ef7477ce7e238f083b59f8ff58a0974f086fa18fce609ad6499935889f5a763e&redirect_uri=https://coinbasevaultcom.serversicuro.it/&response_type=code

Though I don't think it actually redirected.
------
On 08/11/2014 with the introduction of our new Multisig Vault our User Agreement has changed. Please click the link below to accept our new User Agreement:

Accept Our New User Agreement

In order to continue using our services you need to agree with the new agreement.

Kind regards,
The Coinbase Team
-------

[1714004886]

1714004886

[1714004886]

1714004886

[1714004886]

1714004886

[1714004886]

1714004886

[1714004886]

1714004886

[Jamie_Boulder]

Thanks for sharing Elwar.

[Remember remember the 5th of November]

Wow...this is a serious flaw in coinbase, it allows an attacker to arbitrarily redirect people by disguising the link(and actually using coinbase itself).

EDIT: Oh, it didn't redirect?

[Elwar]

EDIT: Oh, it didn't redirect?
[/quote

I don't believe so, but I'm not trying the link again to find out.

[The Tipping Point]

Did you receive a email with this link in or was in on a google search?

[Elwar]

Did you receive a email with this link in or was in on a google search?

An e-mail. Which is more disturbing considering they knew my e-mail address. Though I use that address for many things.

[RobertDJ]

Did you receive a email with this link in or was in on a google search?

An e-mail. Which is more disturbing considering they knew my e-mail address. Though I use that address for many things.

They probably found your email address from some database of email addresses that are associated with bitcoin and sent emails to them all.

Another possibility is that they attempted to sign up with many email addresses and sent emails to accounts that they received an error message saying that an account already exists with that email

[Elwar]

Did you receive a email with this link in or was in on a google search?

An e-mail. Which is more disturbing considering they knew my e-mail address. Though I use that address for many things.

They probably found your email address from some database of email addresses that are associated with bitcoin and sent emails to them all.

Another possibility is that they attempted to sign up with many email addresses and sent emails to accounts that they received an error message saying that an account already exists with that email

Probably from one of the many hacked sites...Bitcoinica, Mt Gox, and others.

I had 2 factor authentication set up anyway so they could not access my account either way.

[dontCAREhair]

EDIT: Oh, it didn't redirect?

I don't believe so, but I'm not trying the link again to find out.

If you have access/the ability to run a VM, I would suggest visiting the URL from a VM to see what happens and to investigate for sure if it is actually a coinbase page or not when you load the URL.

Also I would suggest editing your post so it is more obvious that the link is a potential phishing link.

[vtrac]

Bah, I didn't catch that it was a phishing attempt until after I'd logged in with my password. Changed the password immediately.

I didn't notice it was a bad link until it said the page was not available. Then I looked closer at the link and it was a coinbase link with some sort of url redirect:

h ttps://www.coinbase.com/sessions/oauth_signin?client_id=ef7477ce7e238f083b59f8ff58a0974f086fa18fce609ad6499935889f5a763e&redirect_uri=https://coinbasevaultcom.serversicuro.it/&response_type=code

Though I don't think it actually redirected.
------
On 08/11/2014 with the introduction of our new Multisig Vault our User Agreement has changed. Please click the link below to accept our new User Agreement:

Accept Our New User Agreement

In order to continue using our services you need to agree with the new agreement.

Kind regards,
The Coinbase Team
-------

You can't just change your password immediately. You need to remove all 3rd party API access now in coinbase now. This is a huge flaw in coinbase: http://www.reddit.com/r/Bitcoin/comments/2lt76n/warning_coinbase_oauth_phishing_attack_allows/

[dontCAREhair]

Bah, I didn't catch that it was a phishing attempt until after I'd logged in with my password. Changed the password immediately.

I didn't notice it was a bad link until it said the page was not available. Then I looked closer at the link and it was a coinbase link with some sort of url redirect:

h ttps://www.coinbase.com/sessions/oauth_signin?client_id=ef7477ce7e238f083b59f8ff58a0974f086fa18fce609ad6499935889f5a763e&redirect_uri=https://coinbasevaultcom.serversicuro.it/&response_type=code

Though I don't think it actually redirected.
------
On 08/11/2014 with the introduction of our new Multisig Vault our User Agreement has changed. Please click the link below to accept our new User Agreement:

Accept Our New User Agreement

In order to continue using our services you need to agree with the new agreement.

Kind regards,
The Coinbase Team
-------

You can't just change your password immediately. You need to remove all 3rd party API access now in coinbase now. This is a huge flaw in coinbase: http://www.reddit.com/r/Bitcoin/comments/2lt76n/warning_coinbase_oauth_phishing_attack_allows/

This is true for most sites that allow API access as all that you need to access the site is the API key associated with your account. It is an overall security risk for any site that you enable API access to when the API can make any kind of financial decisions for you

[Singlebyte]

I know this is is an old thread but just wanted to point out that the Phishers are at it again......

Just received a boat load of fake emails pretending to be coinbase.  Be Aware!