Impressive Coinbase Phish (except for that return address)

Threat actors use phishing attacks in order to force their targets to take some action. I recently wrote a post about reporting on CNBC that documented attacks against Coinbase customers with horrific (for the target) results. I received a rather well constructed phish message today allegedly from Coinbase.

EMail from supportinhotint@wordfily.com

The “Verify my identity” link in the center of the email message points at the URL “h44ps://47d557ad-2c39-406e-851b-f9c42de1d1b2.h6.conves.io/justlikethat/”. That was interesting in that the URL contained the string “justlikethat“; making me think that the person who created this is a native English speaker. See below for Virustotal assessment of that URL.