Coinbase Cyberattack Targeted Employees Via Fake SMS Alert

According to the Coinbase cryptocurrency exchange platform, an unfamiliar threat actor efficiently stole one of its employees’ login details to gain remote access to the company’s system and wanted to hack all the necessary information.

As per the company, the hacker obtained contact information related to multiple Coinbase employees. Whereas the customer finds and data remained unaffected.

“Coinbase cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Only a limited amount of data from our corporate directory was caught”. Coinbase

Coinbase wanted to be aware of other companies to take active measures to prevent themselves from such attacks.

Attack Details

On Sunday, the attacker tried to get information by sending a fake message. The attacker targeted several employees with SMS alerts notifying them to log in to their company accounts to read an important message.

In addition, a few employees ignored the message, whereas one of them fell for the trick and followed the instructions.

After entering the credentials attacker thanked them and prompted them to disregard the message.

After getting the login credentials, the attacker made an attempt to enter Coinbase’s internal system using the available login. Fortunately, he failed because access was not easy and protected with multi-factor authentication (MFA).

Hardly 20 mins later, the atta Ker tried another strategy and called the employees to say that we were from the Coinbase IT team and instructed the victim to log into their workstation and follow the instructions.

“Fortunately, no funds were taken AMD no customer information was accessed or reviewed. But some limited contact information for our employees was taken. Specifically employee’s name, email addresses, and some contact details”.

Coinbase’s CSIRT detected the unusual activity within 10 minutes of getting the message. In addition, they contacted the victim to inquire about unusual recent activities from their account.

Later, the employees realized something was fishy and terminated communications with the attacker.

Guideline To Protect From Attack

Coinbase has shared some of the observed TTPs to help other companies to identify a similar attack and defend against it:

Web traffic from the company’s technology assets to specific addresses such as SSO.com, login.-sso.com, and dashboard.com

Incoming calls from specific providers, including Skype, Vonage, Bandwidth, and Google Voice
Any expected attempts to install any software/app or any browser extension, including EditThisCookie

Additional Coinbase theme domains that match the company’s description discovered by Will Thomas of the Equinix Threat Analysis Centre(ETAC), and they may have been used in the attack:

sso-cbhq[.]com
sso-cb[.]com
coinbase[.]sso-cloud[.]com

According to the cybersecurity company Group-IB, the threat performer stole almost 1,000 corporate access logins by sending phishing links over SMS to the company workforce.

However, companies’ employees responsible for managing digital assets and possessing a solid online presence are bound and targeted by social engineering actors at any point.

Alas, by employing a multi-layered defense, an attack can be sufficiently complex for most threat actors to give up. MFA protection implementation and physical security token usage can help safeguard both consumer and corporate accounts.

Read more:

India’s Tata Power confirms Cyberattack on its IT Infrastructure

Israel & Iran squaring off once again after Israel’s cyberattack disrupts Iran’s nuclear facility