Fake Coinbase Email Scam

[cconrad0825]

I got this today from news@Coinbase.com. BEWARE. Obvious scam afloat

In This Issue:
        Get 150% profit with Coinbase Invest Fund

Dear cconrad0825,

We're happy to announce a new product - Coinbase Invest Fund, reliable platform for
small and medium scale investments. Fund assets are diversified among emerging Forex
positions at Coinbase Exchange. Deposits are risk-free insured by institutions such as the New
York Stock Exchange.

Want to become a professional investor?
Our first short-term investment program starts today - GET 150% FOR A 10-DAY DEPOSIT.

Investment offer is active from 20th of April 12:00 AM Pacific until 30th of April.
Coinbase offers you a fixed return with a 50% growth for a 10 day period.
You can deposit today from $100. Maximum deposit amount per one person
or legal entity is 60 Bitcoins. That's an astonishing opportunity to earn up to $8,500 per 10 days!

Investors who want to apply, please make a deposit to

         19myGCgPiNgcGZMVUHZGNQo3QmSkJUsNEJ or click the link below
         https://blockchain.info/qr?data=19myGCgPiNgcGZMVUHZGNQo3QmSkJUsNEJ&size=400

Once a payment is made you will get an e-mail about successful participation.
Please note: Initial deposit amounts exceeding +30 Bitcoins will qualify your membership for a 2nd level upgrade.

We will return your initial deposit with dividends on 1st of May, 2015 12:00 AM Pacific Time.
(for example: investing 10 Bitcoins today will return 15 Bitcoins in a 10 day period)
Profits are withdrawn without any delay and Coinbase waives all fees for 1st level investments.

Hurry up! This is a limited, one-time opportunity.

Kind regards,
The Coinbase Invest Fund Team

Do not reply to this e-mail

[1714978390]

1714978390

[1714978390]

1714978390

[daviducsb]

I got one too. newbies beware!

[kseistrup]

I got one, too.

The bad thing is that sender has managed to get SPF and DKIM right because the email has been sent through Sendgrid:

Code:

Received: from o1.em.coinbase.com (o1.em.coinbase.com. [50.31.37.137])

Code:

Received: from o1.em.coinbase.com (o1.em.coinbase.com. [50.31.37.137])
        by mx.google.com with ESMTPS id p13si266962icl.54.2015.04.08.11.49.44
        for <undisclosed@example.net>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 08 Apr 2015 11:49:44 -0700 (PDT)
Received-SPF: pass (google.com domain of {UNDISCLOSED}@em.coinbase.com designates 50.31.37.137 as permitted sender) client-ip=50.31.37.137;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of {UNDISCLOSED}@em.coinbase.com designates 50.31.37.137 as permitted sender) smtp.mail={UNDISCLOSED}@em.coinbase.com;
       dkim=pass header.i=@coinbase.com;
       dmarc=pass (p=REJECT dis=NONE) header.from=coinbase.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=coinbase.com; 
	h=content-type:mime-version:content-transfer-encoding:from:to:subject; 
	s=smtpapi; bh=mzFmpzK4RGa5/BW6ukZz8pgNqs8=; b=QCxwr642hzexeNV19i
	R8Ui1ESMG1QJ7dvii3StPST9nuFdztnrXSdsWSt1x8W6x4cYgSmAgJ0QhSDwFyPP
	Jmer3WqyWbTm5lh3QWJDnlgEtAtJPJIh7tXvhsIwl/s/Y2uaurdhdso5f6/A8HMw
	zf99DP+mHtG+msY/S2ycwCYZE=

Real sender is probably

Code:

Received: from MTYwNDc2NQ (unknown [5.101.100.198])

which is a DigitalOcean customer.

[cconrad0825]

Thanks for the follow up info kseistrup. Is there a thread already about how you got that so other's can do it for this and other suspicious emails?

[kseistrup]

Thanks for the follow up info kseistrup. Is there a thread already about how you got that so other's can do it for this and other suspicious emails?

Not really, I just looked in the raw email headers (the first two code sections), and did a “whois” lookup of the offending email address.  I don't know about Windows, but mostly anyone on Linux should be able to do that easily.

[kseistrup]

PS: The important thing here is that e.g. Gmail doesn't mark these emails as spam because both SPF and DKIM are legitimate.  Even the reverse DNS is correct (because of the Sendgrid relation).  The only thing about the email headers that gives this away is the Digital Ocean address.

(Of course the email is a blatant scam — I mean, if Coinbase could do a 50% profit in just 10 days they wouldn't need my money in the first place. Also, why do they ask me to send my investments to a Blockchain account? — but the email headers are well forged.)

[Deathwing]

Quick tip;

If it says "youremail before @, bla bla bla bla" it's probably spam, always hover over link if you aren't sure if it's legit or not, for example a blockchain link can be seen like blokchain.info, make sure to double check the address.

[bernard75]

Also, why do they ask me to send my investments to a Blockchain account?

What makes you think these are blockchain accounts?
You can generate a QR code through BC by simply adjusting the address: https://blockchain.info/qr?data=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&size=400

[cassini]

but the email headers are well forged.

Coinbase's Sendgrid account (their backup mail system) had been compromised, see
https://www.reddit.com/r/Bitcoin/comments/31wjt7/coinbase_scam_email_alert/

[Cyrus]

Duplicate post. Please continue discussion here: https://bitcointalk.org/index.php?topic=1017900.0