Coinbase Employee Falls for SMS Scam in Cyber Attack, Limited Data Exposed
Popular cryptocurrency exchange platform Coinbase disclosed that it experienced a cybersecurity attack that targeted its employees.
The company said its “cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information.”
The incident, which took place on February 5, 2023, resulted in the exposure of a “limited amount of data” from its directory, including employee names, e-mail addresses, and some phone numbers.
As part of the attack, several employees were targeted in an SMS phishing campaign urging them to sign in to their company accounts to read an important message.
One employee is said to have fallen for the scam, who entered their username and password in a fake login page set up by the threat actors to harvest the credentials.
“After ‘logging in,’ the employee is prompted to disregard the message and thanked for complying,” the company said. “What happened next was that the attacker […] made repeated attempts to gain remote access to Coinbase.”
These attempts to log in to the systems using the captured credentials proved to be unsuccessful owing to the multi-factor authentication protections that were enabled for the account.
Undeterred, the threat actor called the employee claiming to be from the Coinbase corporate Information Technology (IT) team and directed the individual to log into their workstation and follow a set of instructions.
“That began a back and forth between the attacker and an increasingly suspicious employee,” Coinbase explained. “As the conversation progressed, the requests got more and more suspicious.”
The company said it was alerted within the first 10 minutes of the attack and that its incident responders reached out to the victim to inquire about the suspicious activity from their account, prompting the person to sever all communications with the adversary.
Coinbase did not elaborate on the exact instructions the threat actor gave to the employee, but urged other companies to be on the lookout for potential attempts to install remote desktop software such as AnyDesk or ISL Online as well as a legitimate Google Chrome extension called EditThisCookie.
It also warned of incoming phone calls and text messages from specific providers like Google Voice, Skype, Vonage/Nexmo, and Bandwidth.
Coinbase further noted that the attack is likely linked to the sophisticated phishing campaign known as 0ktapus (aka Scatter Swine) that targeted over 130 companies, including Twilio, Cloudflare, MailChimp, and Signal, among others, last year.