- A cybersecurity attack reportedly targeted Coinbase employees. Using a username and password that belonged to an actual Coinbase employee, the attacker attempted to connect to Coinbase many times, remotely.
- When all tries failed, the malicious actor called an employee and gave them instructions to follow, who started to grow suspicious of it.
- A small quantity of contact information for Coinbase workers, including names, email addresses, and a few phone numbers, was obtained but no money was taken and no client information was accessed.
Coinbase reports that an employee was reportedly the subject of a cybersecurity attack. The attacker repeatedly tried to get into Coinbase remotely while armed with a login and password belonging to a real Coinbase employee but Coinbase‘s defense held up. The attacker was prevented from obtaining access because he was unable to pass the necessary Multi-Factor Authentication (MFA) credentials.
What happened?
First, the attacker has conducted a phishing campaign against Coinbase employees by sending them SMS messages that direct them to fake sites to enter their credentials. Most of the employees who received those SMS messages understood that it is a scam. However, one of them failed to understand it and entered his/her credentials on the fake landing page. In this step, attackers managed to get the credentials, but they were still unable to log in since there was a 2FA enabled.
After around 20 minutes, that particular Coinbase employee received a call. The malicious actor claimed to be from Coinbase’s corporate IT department and that they were in need of the employee’s assistance. The employee started following the attacker’s instructions since they thought they were chatting with a real member of the Coinbase IT department. In 10 minutes, Coinbase Computer Security Incident and Incident Response (CSIRT) team detected the unusual activities and contacted with the victim employee; the employee then stopped communication with the malicious actor.
No money was stolen, and no customer information was accessed or seen. Nevertheless, a small amount of contact information for Coinbase employees, including names, email addresses, and a few phone numbers, was taken.
The CSIRT team started a thorough investigation while also promptly suspending all access for the victimized employee. No money was lost, and no client information was exposed.
How to watch out for these attacks
After the attack, Coinbase shared its experience with users to help them watch out for attacks such as these.
Any web traffic from your technology assets to the following addresses, where * represents your company or organization name:
- sso-*.com
- *-sso.com
- login.*-sso.com
- dashboard-*.com
- *-dashboard.com
Any downloads or attempted downloads of the following remote desktop viewers:
- AnyDesk (anydesk dot com)
- ISL Online (islonline dot com)
Any attempts to access your organization from a third-party VPN provider, specifically Mullvad VPN.
Incoming phone calls/text messages from the following providers:
- Google Voice
- Skype
- Vonage/Nexmo
- Bandwidth [dot] com
Any unexpected attempts to install the following browser extension(s):
- EditThisCookie