Coinbase Employee Credentials Stolen in Recent Security Incident

Cryptocurrency exchange platform Coinbase has recently disclosed an attack that exposed the company’s systems and cost it sensitive data.

The attack, on Feb. 5, involved an unknown fraudster sending fake SMS alerts to several Coinbase employees, attempting to con them into following a malicious link.

Reportedly, the SMS mentioned an important message and urged recipients to log in to their corporate accounts to read it.

It took only a single employee to follow the rogue URL for the perpetrator to breach Coinbase’s systems and make off with the employee’s data. After typing their credentials into the phishing form, the employee was prompted with a “thank you” note and advised to dismiss the message.

The perpetrator then tried to log in to Coinbase’s internal systems, only to run up against the company’s multi-factor authentication (MFA) policy. The threat actor pulled a Hail Mary and contacted the previously-deceived employee, pretending to be a legitimate Coinbase IT staff member. The attacker then gave the employee instructions that would allow them access to the company’s systems.

Coinbase’s Computer Security Incident Response Team (CSIRT) quickly caught the suspicious activity and reached out to the victim, who, upon realizing what had happened, cut all communications with the attacker.

According to the company, the threat actor only managed to exfiltrate employee information, leaving customer data and funds untouched.

“Our CSIRT team immediately suspended all access for the victimized employee and launched a full investigation,” reads Coinbase’s security advisory. “Because of our layered control environment, there were no funds lost and no customer information was compromised. The clean-up was relatively quick, but still - there are a lot of lessons to be learned here.”

Coinbase released a series of Tactics, Techniques and Procedures (TTPs) that other companies should look for in their corporate logs, including:

• Web traffic from sso-*.com, *-sso.com, login.*-sso.com, dashboard-*.com, *-dashboard.com, where * represents the company’s name
• Download attempts from AnyDesk (anydesk dot com) and ISL Online (islonline dot com)
• Organization access attempts from third-party VPN providers, specifically Mullvad VPN
• Incoming communications from Skype, Google Voice, Vonage/Nexmo, and Bandwidth dot com
• Unexpected attempts to install the “EditThisCookie” browser extension