What's this? A phishing email that doesn't get any spelling or grammar wrong? Impressive.

The URL included in the email has a redirect to:

https://newkste66f02.s3.amazonaws.com/44b5cfb3.html

Which just has this in the HTML:

```
window.location.assign("https://jademountains.net/s2");
```

Which redirs with an appended slash:

https://jademountains.net/s2/

Which redirs to

https://coinbase-v3teamapp.com/signin/consent_challenge=ca1ccf26-a61b-4133-952d-aba54aa249a9

Which isn't a legit coinbase domain -- URL registered today. Which resolves to a blank page with a single javascript payload:

https://coinbase-v3teamapp.com//static/js/main.401607d2.js

Which appears to be a React app, which then ultimately triggers a load of this URL, which includes a list of desired OAuth scopes:

https://login.coinbase.com/oauth2/auth?response_type=code&client_id=${e.data.data.clientId}&redirect_uri=${e.data.data.redirectURI}&account=all&scope=wallet:accounts:read,wallet:accounts:update,wallet:accounts:create,wallet:accounts:delete,wallet:addresses:read,wallet:addresses:create,wallet:buys:read,wallet:buys:create,wallet:deposits:read,wallet:deposits:create,wallet:notifications:read,wallet:payment-methods:read,wallet:payment-methods:delete,wallet:payment-methods:limits,wallet:sells:read,wallet:sells:create,wallet:transactions:read,wallet:transactions:send,wallet:transactions:request,wallet:transactions:transfer,wallet:user:read,wallet:user:update,wallet:user:email,wallet:withdrawals:read,wallet:withdrawals:create,offline_access

Which, cleaned up, is this:

wallet:accounts:read
wallet:accounts:update
wallet:accounts:create
wallet:accounts:delete
wallet:addresses:read
wallet:addresses:create
wallet:buys:read
wallet:buys:create
wallet:deposits:read
wallet:deposits:create
wallet:notifications:read
wallet:payment-methods:read
wallet:payment-methods:delete
wallet:payment-methods:limits
wallet:sells:read
wallet:sells:create
wallet:transactions:read
wallet:transactions:send
wallet:transactions:request
wallet:transactions:transfer
wallet:user:read
wallet:user:update
wallet:user:email
wallet:withdrawals:read
wallet:withdrawals:create
offline_access

Which is, I'd assume, basically everything, including the ability to withdraw:

wallet:withdrawals:read
wallet:withdrawals:create

Before ultimately ending up at what appears to be a coinbase-owned domain:

https://login.coinbase.com/signin?client_id=c300bb46-07f8-4257-9760-a892c704a8b6&oauth_challenge=5f5f78d5-7e10-4d4e-8ba4-11dc2e27af28

```
$ dig -t A coinbase.com +short
104.18.35.15
172.64.152.241
$ dig -t A login.coinbase.com +short
172.64.152.241
104.18.35.15
```

The OAuth bits of the URL tell me that this must be a third-party Coinbase app. Can't find an easy way to map that client ID of

c300bb46-07f8-4257-9760-a892c704a8b6

back to an app page though to report it.

What the hell. I'll bite. I don't have anything in Coinbase anymore. Let's see if I can't get the actual app and report it.

Logging in... SMS 2-factor, Email 3rd factor.

Aaaaaand BINGO. The third-party app is named

"Third Party: Support"

However, searching for that in Coinbase's app search yields... nothing. Great job, Coinbase.

Okay, how do I go about reporting this to them? Looks like there's a chat option. Fine. Gonna use this post as my description of what's going on.

#coinbase #phishing #web3 #web3isgoinggreat #cryptocurrency