Cyberattack on Coinbase That Used a Fake SMS Alert to Target Workers

The Coinbase bitcoin exchange platform reported that an unknown threat actor successfully obtained one of its workers’ login credentials to get remote access to the business’s system and sought to breach all relevant data.

According to the business, the hacker was able to access contact information for numerous Coinbase workers. The customer’s information and data, however, were untouched.

“Coinbase’s cyber security measures stopped the attacker from directly accessing the system, preventing any money loss or compromise of customer information. Only a small portion of our corporate directory’s data was intercepted. Coinbase

Coinbase wished to make other businesses aware of the need to actively defend against such attacks.

Attack Details.

On Sunday, the assailant sent a phoney message in an effort to obtain information. The attacker sent SMS alerts to a number of targets telling them to go into their work accounts to receive vital messages.

A couple workers also disregarded the message, but one of them was duped and followed the instructions.

Attacker thanked them for providing their credentials and advised them to ignore the message when they had done so.

After obtaining the login information, the attacker attempted to use the provided login to access Coinbase’s internal system. Thankfully, he was unsuccessful since access was difficult to obtain and safeguarded by multi-factor authentication (MFA).

Not even 20 minutes had passed before the assailant tried a different tactic. He called the staff and claimed to be from the Coinbase IT team, telling the victim to connect onto their workstation and follow the instructions.

Thankfully, no money was taken, and no client data was accessed or looked through. Yet, a small amount of our employees’ contact information was stolen. Names, email addresses, and other contact information of the employees.

Within 10 minutes of receiving the communication, Coinbase’s CSIRT discovered the strange activity. They also got in touch with the victim to find out about any odd recent activity on their account.

Directive To Prevent Attack.

With the purpose of assisting other businesses in spotting a similar attack and defending against it, Coinbase has published some of the observed TTPs:

Online traffic to specific websites, such as SSO.com, login.-sso.com, and dashboard.com, from the company’s technological resources

incoming calls from particular service providers, like Vonage, Bandwidth, Skype, and Google Voice
Any anticipated efforts to download any software, apps, or browser add-ons, such EditThisCookie

Will Thomas of the Equinix Threat Analysis Centre (ETAC) found other Coinbase theme domains that match the company’s description and may have been utilised in the attack:

sso-cbhq[.]com
sso-cb[.]com
coinbase[.]sso-cloud[.]com

The threat performer sent phishing links to the company staff via SMS, whereby they were intercepted and approximately 1,000 corporate access logins were taken, claims cybersecurity firm Group-IB.

Yet, social engineering players can bind and target business personnel at any time who are in charge of managing digital assets and maintaining a strong online presence.

However, a multi-layered defence can make an attack sufficiently complex that the majority of threat actors will give up. Implementing MFA protection and using physical security tokens can help protect both customer and business accounts.

Leave a Comment