Attackers Impersonate Coinbase and Send Fake Binance Payment Notification in Cryptocurrency Scam
In this phishing attack, cybercriminals impersonate Coinbase, the well-known cryptocurrency exchange, and send a message with the subject line “Action Needed: Finish the Full Verification Procedure for Your New Payment from Binance.com.” The email originates from a malicious Gmail address and is intended to appear as a payment notification from Coinbase regarding a 0.9473 BTC transfer supposedly initiated by Binance. It urges the recipient to complete a transaction verification process within 24 hours to avoid the funds being returned. Attached to the email is a PDF claiming the recipient’s devices were linked to Binance’s platform by IP address and that they have passively earned 1.3426 BTC ($89,446.70) through cloud mining. The document prompts the target to click a “Continue” button, which redirects to a malicious website designed to steal sensitive information, such as login credentials or financial details. The attack is particularly deceptive due to its use of the Binance brand, precise financial figures, and the promise of unexpected earnings—all intended to exploit the recipient’s curiosity and urgency.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a free hosting site that is less likely to be blacklisted, comes from an unknown sender, and doesn’t use malicious attachments. Modern, AI-powered email security solutions flag that the sender domain does not match any domains in the message, detect the presence of links leading to suspicious domains, and recognize language commonly used in financial theft attempts to correctly identify the email as an attack.
To protect against these types of threats, users should be wary of unexpected financial promises, especially when delivered via attachments or from non-corporate domains. Verifying claims through official channels and using modern, behavior-based email security tools are critical steps in defending against increasingly sophisticated phishing campaigns.
Fake request for verification to receive payment from crypto exchange Binance tries to trick users into providing sensitive information
Fake notification about BTC mining rewards via cloud mining
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Reputable Email Provider: The attacker uses a free hosting email service, which is less likely to be blacklisted and can bypass basic email filters.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
- Lack of Malicious Attachments: By not including suspicious attachments such as HTML attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Financial Theft Language: The email contains language that may be attempting to steal money from the recipient, a common tactic identified by Abnormal’s content analysis and NLP algorithms to detect potential financial fraud.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.