Impressive Coinbase Phish (except for that return address)

Threat actors use phishing attacks in order to force their targets to take some action. I recently wrote a post about reporting on CNBC that documented attacks against Coinbase customers with horrific (for the target) results. I received a rather well constructed phish message today allegedly from Coinbase.

EMail from

The “Verify my identity” link in the center of the email message points at the URL “h44ps://”. That was interesting in that the URL contained the string “justlikethat“; making me think that the person who created this is a native English speaker. See below for Virustotal assessment of that URL.