In a new phishing campaign, cybercriminals are targeting Coinbase users and stealing their account credentials. Attackers attempt to drain their cryptocurrency wallets, Bitdefender Antispam Lab reports.
According to Bitdefender telemetry data, the phishing campaign started in mid-February and hit over 25,000 Coinbase users. Bitdefender reports that 69% of the phishing emails originated from India, 13.73% from Brazil, 10% from the US, and 2.33% from Japan.
When analyzing the final destination of the phishing emails, Bitdefender saw that the vast majority of targets were in South Korea, other countries included Sweden, Ireland, Japan, the United States, Great Britain, and Canada.
The campaign begins with a fake email notification that warns the victim of unusual activity in their Coinbase account and requires immediate verification to regain access to the platform.
“We recently detected an unusual activity on your Coinbase account,” the fraudulent email reads. “Unfortunately we had to suspend your coinbase in order to ensure the safety of your account… This suspension is temporary. We will need some additional information to verify your identity. Please visit the verification form to complete your identity verification and regain access to your coinbase account.”
Initial Coinbase phishing email
When users open the provided URL, criminals show them a fake Coinbase login page on which they enter their usernames and passwords. If they do, the credentials end up in the hands of the fraudsters.
In the report, Bitdefender writer says the trend of impersonating cryptocurrency trading platforms for phishing user personal information is likely to continue in 2021. And that in the future, threat actors may upgrade their tactics to include malicious payloads “that could expose recipients to additional threats or file-encrypting ransomware.”
Coinbase users are advised to never open such emails nor click on any links in them. Those who’ve submitted their account login information by mistake, are urged to go to the official Coinbase website and change the password immediately. They should also enable two-factor authentication as an additional security layer.