Coinbase Cyberattack: Employee Login Credentials Stolen in Phishing Attempt

Coinbase, a leading cryptocurrency exchange platform, has disclosed a cyberattack where an unknown threat actor stole the login credentials of one of its employees in an attempt to gain remote access to the company’s systems. This incident highlights the need for robust cybersecurity measures to prevent such attacks.

Details on Coinbase Cyberattack

The attacker targeted several Coinbase engineers on Sunday, February 5th, using SMS alerts urging them to log into their company accounts to read an important message. One employee fell for the trick and followed the link to a phishing page, where they entered their credentials. Although the employee was prompted to disregard the message after submitting their information, the attacker had already obtained the login credentials.

The attacker tried to log into Coinbase’s internal systems using the stolen credentials but failed because access was protected with multi-factor authentication (MFA). Afterward, the attacker called the employee, claiming to be from the Coinbase IT team, and directed the victim to log into their workstation and follow some instructions.

Coinbase’s CSIRT detected the unusual activity within ten minutes since the start of the attack and contacted the victim to inquire about any unusual recent activities from their account. The employee then realized something was wrong and terminated communications with the attacker. Fortunately, customer funds and data remained unaffected, and no direct system access was gained.

Impact on Coinbase Employees

As a result of the intrusion, the attacker obtained some contact information belonging to multiple Coinbase employees. “Only a limited amount of data from our corporate directory was exposed,” said Coinbase. Specifically, employee names, email addresses, and some phone numbers were taken.

Coinbase has shared the findings of their investigation to help other companies identify the threat actor’s tactics, techniques, and procedures (TTPs) and set up appropriate defenses.

Defending Against Coinbase Cyberattack

Coinbase has shared some of the observed TTPs that other companies could use to identify a similar attack and defend against it:

• Monitoring any web traffic from the company’s technology assets to specific addresses, including sso-.com, -sso.com, login.-sso.com, dashboard-.com, and *-dashboard.com.
• Keeping an eye on any downloads or attempted downloads of specific remote desktop viewers, including AnyDesk (anydesk dot com) and ISL Online (islonline[.]com)
• Being wary of attempts to access the organization from a third-party VPN provider, specifically Mullvad VPN
• Monitoring incoming phone calls/text messages from specific providers, including Google Voice, Skype, Vonage/Nexmo, and Bandwidth
• Being cautious of any unexpected attempts to install specific browser extensions, including EditThisCookie

It is worth noting that the attacker’s modus operandi is similar to what was observed during the Scatter Swine/0ktapus phishing campaigns last year. According to cybersecurity company Group-IB, the threat actor stole almost 1,000 corporate access logins by sending phishing links over SMS to company employees.

Employees of companies that manage digital assets and have a strong online presence are bound to be targeted by social engineering actors at some point. Adopting a multi-layered defense can make an attack sufficiently challenging for most threat actors to give up. Implementing MFA protection and the use of physical security tokens can help protect both consumer and corporate accounts.

In conclusion, it’s crucial to stay vigilant and be wary of suspicious messages or phone calls, especially those that ask for login credentials.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.