This credential phishing attack features an impersonation of Coinbase. Using official-sounding language that mimics authentic communications from Coinbase, the attacker claims that the recipient's account is restricted. In order to regain access, the target must confirm their information using a sign-in link, which likely leads to a fraudulent landing page. If the recipient clicks the link and enters their login credentials, sensitive information will likely be at risk. To increase the appearance of legitimacy and attempt to trick the recipient, the attacker uses "Coinbase" as the sender display name and includes footer information at the bottom of the email that looks similar to official Coinbase customer support emails. 

Legacy security tools have trouble identifying this email as an attack because of an inability to detect newly registered domains, recognize an unknown sender, and assess the safety of inline links. Modern, AI-powered email security solutions analyze the domain page and links and detect advanced spoofing attempts to identify this email as an attack accurately. 

Status Bar Dots
Sep20 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Domain Age: The sender's domain is only two months old. Legacy security tools may not have updated information about newly registered domains, allowing the email to bypass their filters.
  • Unknown Sender: The email is from an unknown sender that the company has never received emails from in the past. Legacy security tools may be unable to track and flag emails from unknown senders.
  • Malicious Link: The email contains a link that could potentially lead to a malicious website. Legacy security tools may be unable to check links' safety in real time, allowing the email to bypass their filters.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Advanced Spoofing Detection: Abnormal's AI detects sophisticated spoofing techniques. In this case, it identified the sender's email address as a spoofed account suspension notification.
  • Domain Age Analysis: Abnormal's AI checks the age of the sender's domain. In this case, it flagged the email because the sender's domain is only two months old, a common characteristic of malicious domains.
  • Link Analysis: Abnormal's AI checks the safety of links in real time. In this case, it flagged the email because it contained a link that could potentially lead to a malicious website.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Maliciously Registered Domain

Theme

Cryptocurrency

Impersonated Party

Brand

Impersonated Brands

Coinbase

See How Abnormal Stops Emerging Attacks

See a Demo