Security PSA: Phishing Search Engines | by Coinbase | July, 2022
tl; Doctor: Search engine phishing takes advantage of our trust in search engines and the convenience of finding something, instead of remembering the domain. The following piece explains what search engine phishing attacks can look like and how Coinbase users can avoid them.
by coinbase security team
How do you log into coinbase? If you’re like many people, open your favorite browser and type “coinbase” or “coinbase login” into the address bar. You expect to get results like this:
But sometimes you may get results like this:
The second set of screenshots shows an example of a phishing link. This is called search engine phishing and has become a trend for attackers targeting Coinbase accounts.
When most people think of phishing, email or SMS phishing comes to mind. However, phishing can take many forms. Search engine phishing takes advantage of our trust in search engines and the convenience of finding something, instead of remembering the domain.
We all do this, but it opens us up to potential search engine phishing attacks if we’re not diligent about checking our links and protecting ourselves online. Here are some tips to prevent this from happening to you:
Coinbase uses a similar naming convention for our websites and pages. The convention follows this pattern: [page].coinbase.com. For example, here are some of our pages:
One way to avoid this type of scam is to bookmark the above coinbase pages that you frequent. Bookmarking eliminates the need to search for a domain name or type it in manually. Here’s a quick tutorial on how to create bookmarks in the most popular browsers.
One has to put in a good amount of work to get their website ranked high in the search engine results. This is called Search Engine Optimization (SEO), which is the process of improving the traffic from search engines to the website. Some website services, including Google Sites and Microsoft Azure, provide built-in SEO functionality.
As seen in the screenshot above, attackers take advantage of website services like Google Sites and Microsoft Azure – building a false sense of trust in phishing links. Naming conventions can follow one of the following patterns:
These phishing websites will usually be redirected to another phishing page after the victim clicks a button on the site. The redirect will take the victim to another phishing page where the actual phishing attack takes place. Using a second phishing site is a way for attackers to protect the first phishing site and maintain its SEO ranking. So, be aware of redirects as a sign that you are visiting a phishing website. A typical flow might look like this:
Here are some indicators you can look for to protect against search engine phishing:
- Whether the naming convention of the search result follows this pattern: [page].coinbase.com? If not, it’s probably a phishing page.
- When you click on a search result, are you redirected to a website with a different domain than you expected? If so, it’s probably a phishing page.
- When you click on a search result, does the website look different than the last time you logged into Coinbase? If so, it could be a phishing page that is using an older version of our website theme.
- When you visit a website from the search results and click a button, are you redirected to a website with a different domain from the first page? If so, it’s probably a phishing page.
- After entering your credentials, are you prompted to call Coinbase due to some sort of error? Does a live chat box open automatically? This strategy is commonly combined with phishing attacks and is known as an “endorsement scam” attack.
Here’s an example of what a scam error might look like and a live chat box that might follow the error:
Remember, think before you click! Our US support phone number is 1–888–908–7930 And you can find other ways to contact us at help.coinbase.com. If you have doubts about activity on the “Coinbase” website, visit our support page and start a conversation with our support team there.
We’re constantly monitoring the Internet to identify and remove phishing domains, but we need your help. Please help us by reporting any suspicious domains [email protected],