Comment by WatchDog
7 hours ago
So the emails had proper DKIM signatures.
Did the support agents have the ability to send arbitrary emails from commerce@coinbase.com? If not, how did the scammers send a properly signed email?
7 hours ago
So the emails had proper DKIM signatures.
Did the support agents have the ability to send arbitrary emails from commerce@coinbase.com? If not, how did the scammers send a properly signed email?
Yeah what is going on here?
What does this mean?
> While both amazonses.com and coinbase.com DKIM checks passed, this is exactly how phishing works—attackers can configure Amazon SES to send "from" coinbase.com
How does Amazon SES let you sign an email from a domain you don't control? Unless this means that somehow the scammer had access to DNS records for coinbase.com which indicates some really crazy compromise somewhere either of Coinbase or the DNS chain.
I'm very confused.
[dead]