CAUTION! - Coinbase Invest Fund Email Scam


#21

Here is the chat I had with them:

→does Coinbase know there is an email going around about a 150% return in 10 days from coin base?
→I believe it to be fake and have posted it on several forums
→I can forward it to Coinbase if you need
Ben: Hi there, we are aware and the fraudulent emails should be blocked going forward
Ben: We’re deciding how to respond at the moment
Ben: There may be a blog post, I’m not quite sure yet
→good deal…I m glad to see that CB is aware of it
→I posted the body of the email and said to have caution if any one received this email…seems many have got it
Ben: Yes, we appreciate your help in getting the word out!
→any time .seems the email originated from Coinbase the BTC addy is personalized looks like its been planned out….serious stuff…good luck and thank you for responding


#22

It’s a scam. The from address was spoofed. I received the email as well. Oddly enough it went to an email address for work that I don’t sign up with anything for. Very strange.

Here are the headers (sensitive information removed).

Received: from mail..com (192.168.1.18) by mail..com
(192.168.1.18) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Mailbox
Transport; Wed, 8 Apr 2015 12:12:03 -0700
Received: from mail..com (192.168.1.18) by mail..com
(192.168.1.18) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 8 Apr
2015 12:12:03 -0700
Received: from ..com (192.168.1.20) by mail..com
(192.168.1.18) with Microsoft SMTP Server id 15.0.1044.25 via Frontend
Transport; Wed, 8 Apr 2015 12:12:03 -0700
X-ASG-Debug-ID: 1428520311-03e26d648442650001-0cKmUS
Received: from mail13.ess.barracuda.com (mail13.ess.barracuda.com [64.235.145.9]) by ..com with ESMTP id gg7GPG8aVKU6qJMY for <
@.com>; Wed, 08 Apr 2015 12:11:51 -0700 (PDT)
X-Barracuda-Envelope-From: bounces+1604765-1c44-
=********.com@em.coinbase.com
X-Barracuda-RBL-Trusted-Forwarder: 64.235.145.9
Received: from o1.em.coinbase.com (o1.em.coinbase.com [50.31.37.137]) by mx1301.ess.scl.cudaops.com (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 08 Apr 2015 19:11:50 +0000
X-BESS-ID: 1428520310-320835-20785-1236-1
X-Barracuda-Apparent-Source-IP: 50.31.37.137
X-Barracuda-RBL-IP: 50.31.37.137
X-Barracuda-BBL-IP: 50.31.37.137
X-BESS-VER: 2.6.2-r1503311622
X-BESS-Apparent-Source-IP: 50.31.37.137
X-BESS-BRTS-Status: 1
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=coinbase.com;
h=content-type:mime-version:content-transfer-encoding:from:to:subject;
s=smtpapi; bh=2muEA06yJiMfPN3Qw96a6rcp/Fg=; b=cF2JQdxXnW1Xi6nulM
vbwp8fVwWSLUpQDBDMFjbzziJs8QFgxOJ3miSrczfqqzbTB21o+WQ5GZVpW39CA0
yDI87UIS1qaiGT5z2zkdDW8LrwWCmn4o3AX3uAd0Ir1naRwFZ95kdSy6JqL0RYB+
LXHc4DWhzN1YokI83cS15gHJ4=
Received: by filter0251p1mdw1.sendgrid.net with SMTP id filter0251p1mdw1.15991.55257D5AC
2015-04-08 19:11:49.516546703 +0000 UTC
Received: from MTYwNDc2NQ (unknown [5.101.100.198])
by ismtpd-002 (SG) with HTTP id 14c9a721215.40c2.9c
for <
@*.com>; Wed, 08 Apr 2015 19:11:49 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Coinbase news@coinbase.com
To: @.com
Subject: **********, We’ve got a message for You
Date: Wed, 8 Apr 2015 19:11:49 +0000
X-ASG-Orig-Subj: ********, We’ve got a message for You
Message-ID: 14c9a721215.40c2.9c@ismtpd-002
X-SG-EID: HjvhbMZlAInz7lFK5lV4IlrWToJ48EGwf8MmslogdhHdCu+ICYe1vyFqJQeS1Uucpj5hqszFUHns1N
k2EZuCUdijZNkamwE7QGXNEsBVsaDz1q7C5xHf2ZvnAH0uXzETZ3WR3jdgoOUoXYy9Ggn42FnLqflA
js0IY6z8je2Ed/k=
X-Barracuda-Connect: mail13.ess.barracuda.com[64.235.145.9]
X-Barracuda-Start-Time: 1428520311
X-Barracuda-URL: https://192.168.1.20:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at ********.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=5.0 KILL_LEVEL=8.0 tests=ADVANCE_FEE_1, INFO_TLD
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.17679
Rule breakdown below
pts rule name description


0.00 INFO_TLD URI: Contains an URL in the INFO top-level domain
0.00 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419)
Return-Path: bounces+1604765-1c44-=**.com@em.coinbase.com
X-MS-Exchange-Organization-Network-Message-Id: 31ef1b52-d083-4dbe-e8a5-08d2404707d3
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: mail.*******.com
X-MS-Exchange-Organization-AuthAs: Anonymous


#23

Looks like the email was sent through https://sendgrid.com/


#24

LOL @Daffy asked for all that (header) …I’m glad you know how to get all that info I was like ummmm…uhhh OK I got the address! :flushed:


#25

Looks like the email originated from 5.101.100.198 which is a Netherlands IP with a reputation for spamming via email and forums.

This is definitely a scam.


#26

Hehe, piece of cake. Someday I’ll show you, young Padawan.


#27

This seems to indicate it’s a web page that is used to send out emails and then passed on to sendgrid strange that it is then rerouted through a coinbase server.


#28

I would change PW or make sure 2fa is enabled JIC. I moved my hot coin out of Coinbase till I see how far this goes.


#29

Nope russian according to another website


#30

FYI:
Link to post on coinbase community


#31

Nope, that was when I started to lol.

@DirtFighter thanks :wink:

Cheers!


#32

Guys it looks like a lot of GAW customers received this as well. I realize it could be coincidence, but you never know. Any thoughts?
EDIT I have an email address I have only used for GAW and nothing else and I received a scam"CoinBase" email at that address.


#33

I think you might be on to something. …now that you said that, the email I use for Coinbase is not the email I received the scam at. I might have it as a secondary but the primary email is not the same…in my personal case


#34

This is what raised a red flag with me. I didn’t get it on my e-mail associated with Coinbase and Outlook didn’t move it to the Coinbase folder like legitimate e-mails I receive from them.


#35

Its been so long since I used CB I forgot what email I use for them…I do get their blog at the same email I got the scam mail at…but when I make any transactions I get confirmation on a different email…either way. “Ben” in the CB support chat confirmed it is a fraudulent mail

Has any one noticed if there has been an official statement from CB?


#36

I received this:

Hi there,
Earlier today, a spam email claiming to be from Coinbase was sent to some of our customers, announcing a “Coinbase Invest Fund”.
If you received this email, please disregard it. We apologize for any inconvenience this may have caused.
Note: This email in no way affects the safety of your Coinbase account, and no customer data was compromised.
If you have any questions, please don’t hesitate to contact support@coinbase.com.
Kind Regards,
Coinbase Security


#37

I received the same email from them as well.


#38

Maybe this was" someone’s" last hope of saving “something” by scamming a few thousand BTC
After realizing it wasn’t going to work it was decided it’s finally over.


#39


#40

I did not read the entire contents of this thread, but if no one had definitive proof it is a scam I got the same email over a week ago (April 9th) and contacted coinbase as well. I received an answer back within a few hours stating it was a scam and the next day an email went out to all customers stating it was a scam.

Alexander replied:

Hi there,
Thanks for reporting this to us. As you’ve probably figured out, the
email is NOT from Coinbase. We’ve looked into the issue and have
stopped all fraudulent email activity from the news@coinbase.com email address going forward. If you continue to see anything suspicious, please let us know.
The attack did not involve compromising any user data, so please rest
assured that your account and funds are secure. We do apologize for
any confusion this may have caused, and please let us know if you have
any further questions or concerns.
Regards