Loading...

Crypto exchange giant Coinbase prevents cyber-attack, but employee data exposed

TL;DR

  • Crypto exchange Coinbase has reported a recent cyber attack that targeted one of its employees.
  • The attacker called the employee and claimed to be from Coinbase’s corporate Information Technology (IT) department, seeking the employee’s help.

Crypto exchange Coinbase has reported a recent cyber attack that targeted one of its employees, resulting in the theft of login credentials and the exposure of some contact information belonging to multiple employees. However, the company’s cyber controls prevented the attacker from gaining direct system access, and no customer data or funds were compromised.

“Coinbase recently experienced a cybersecurity attack that targeted one of its employees. Fortunately, Coinbase’s cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Only a limited amount of data from our corporate directory was exposed.”

Coinbase Team

How the attack occurred

According to Coinbase, on February 5, several employees received SMS messages indicating they urgently needed to log in to receive an important message. While most employees ignored the message, one employee clicked the link and entered their login information, thinking it was a legitimate message. The attacker, equipped with a legitimate Coinbase employee username and password, made repeated attempts to gain remote access to the company but could not provide the required Multi-Factor Authentication (MFA) credentials, which blocked their access.

Subsequently, the attacker called the employee and claimed to be from Coinbase’s corporate Information Technology (IT) department, seeking the employee’s help. The employee, believing the caller to be a legitimate Coinbase IT staff member, logged into their workstation and followed the attacker’s instructions. However, the employee became increasingly suspicious as the conversation progressed, and ultimately the requests became too suspicious.

Coinbase reassured its customers that no funds or customer information were compromised, and only a limited amount of data from the corporate directory was exposed. The incident highlights the importance of strong cyber controls and employee awareness in preventing successful cyber attacks.

Preventing cyber-attacks

Coinbase shared some key tactics, techniques, and procedures (TTPs) that other crypto companies can use to identify and defend against a similar attack.

The TTP includes monitoring web traffic from the company’s technology assets to specific addresses, such as sso-.com, -sso.com, login.-sso.com, dashboard-.com, and *-dashboard.com. Additionally, monitoring downloads or attempted downloads of specific remote desktop viewers, including AnyDesk and ISL Online, and any attempts to access the organization from a third-party VPN provider, specifically Mullvad VPN is vital, according to Coinbase.

Furthermore, Coinbase also shared that crypto companies should be vigilant of incoming phone calls/text messages from specific providers, including Google Voice, Skype, Vonage/Nexmo, and Bandwidth. They should also monitor unexpected attempts to install specific browser extensions, including EditThisCookie.

According to Will Thomas of the Equinix Threat Analysis Center (ETAC), some additional Coinbase-themed domains, such as sso-cbhq[.]com, sso-cb[.]com, and coinbase[.]sso-cloud[.]com, were possibly used in the attack. It is essential to know that the attacker’s modus operandi is similar to what was observed during the Scatter Swine/0ktapus phishing campaigns last year.

Group-IB, a cybersecurity company, also reported that the threat actor stole almost 1,000 corporate access logins by sending phishing links over SMS to company employees.

Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decision.

Share link:

Damilola Lawrence

Damilola is a crypto enthusiast, content writer, and journalist. When he is not writing, he spends most of his time reading and keeping tabs on exciting projects in the blockchain space. He also studies the ramifications of Web3 and blockchain development to have a stake in the future economy.

Most read

Loading Most Read articles...

Stay on top of crypto news, get daily updates in your inbox

Related News

XRPL
Cryptopolitan
Subscribe to CryptoPolitan