Coinbase, a popular cryptocurrency exchange platform, has revealed that it has suffered a cybersecurity attack targeting its employees.
“Cyber controls prevented attackers from directly accessing the system, preventing loss of funds and exposure of customer information,” the company said.
The incident, which occurred on February 5, 2023, exposed a “limited amount of data” from the directory, including employee names, email addresses, and some phone numbers.
As part of the attack, several employees were targeted with SMS phishing campaigns urging them to sign into their company accounts to read important messages.
One employee is said to have fallen for the scam. The employee entered his username and password into a fake login page set up by the attackers to harvest his credentials.
“After ‘logging in,’ employees are prompted to ignore the message and thank them for doing so,” the company said. “What happened next was that the attackers […] I have repeatedly tried to gain remote access to Coinbase. “
These attempts to log into the system using the retrieved credentials were found to have failed due to the multi-factor authentication protections enabled for the account.
Undeterred, the threat actor called an employee claiming to be part of Coinbase’s corporate information technology (IT) team and instructed them to log into a workstation and follow a series of instructions.
“That is the beginning of the interaction between the attackers and the increasingly questionable employee,” Coinbase explained. “As the conversation progressed, the request became more and more suspicious.”
The company said it was alerted within the first 10 minutes of the attack, prompting incident responders to contact victims to inquire about suspicious activity from their accounts and cut off all communication with the attackers. I’m here.
Coinbase didn’t elaborate on the exact instructions the attackers gave the employees, but they could have attempted to install remote desktop software such as AnyDesk and ISL Online, as well as a legitimate Google Chrome extension called EditThisCookie. I urged other companies to be careful about gender.
It also alerted you to incoming calls and text messages from certain providers such as Google Voice, Skype, Vonage/Nexmo and Bandwidth.
Coinbase further notes that the attack is likely related to a sophisticated phishing campaign known as 0ktapus (aka Scatter Swine), which targeted over 130 companies last year, including Twilio, Cloudflare, MailChimp, Signal and more. I made it
