Cryptocurrency exchange Coinbase suffered a cybersecurity attack targeting its employees on February 5. The attack occurred via SMS scams and consisted of impersonating IT staff, according to a recent report from the company’s engineering team. According to the company, no customer funds or information were affected.
As the report indicates, Late on Sunday several Coinbase employees received SMS messages urgently asking them to connect via the provided link to access an important message.. Acting in good faith, one of the employees followed the operator’s instructions:
“While most ignore this non-advanced message: An employee, believing it to be an important and legitimate message, clicks the link and enters their username and password. After “login”, the employee is prompted ignore the message and thanks for complying.”
The attacker then repeatedly attempted to remotely access Coinbase’s internal systems using the employee’s username and password, but was unable to bypass the multi-factor authentication (MFA) security measure.
After failing in his authentication attempt and being automatically blocked, the attacker contacted the employee by phone. According to the report, the attacker claimed to be Coinbase’s IT department and asked the employee for help:
Believing he was speaking to a legitimate Coinbase IT staff member, the employee logged into his workstation and began following the attacker’s instructions. Thus began a tug-of-war between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests became more and more suspicious.”
Coinbase’s Computer Security Incident Response Team (CSIRT) was alerted to unusual activity by its Security Incident and Event Management (SIEM) system. An incident manager contacted the victim through the company’s internal messaging system in response to the atypical behavior.
“Realizing something was seriously wrong, the employee ended all communication with the attacker”says the report. According to Coinbase, its layered control environment protected funds and customer information, although some of its staff information had been compromised.
The company believes that the attack is associated with a sophisticated attack campaign that has targeted many companies since last year, especially in the United States. Cybersecurity company Group-IB reported similar phishing attacks on Twilio and Cloudflare employees in August 2022 as part of a massive campaign that ended with 9,931 accounts from more than 130 organizations compromised.
The Coinbase team also pointed out that its customers and employees are frequent targets of scammers, and that the solution is to offer adequate training:
“Research shows time and time again that everyone can be fooled at some point, no matter how alert, skilled and prepared they are. We must always work from the assumption that bad things will happen. We must constantly innovate to counter the effectiveness of these attacks, while we strive to improve the overall experience for our customers and employees.”
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.
