Cryptocurrency exchange Coinbase reported that an unknown attacker seeking to gain remote access to the company’s systems staged a spear phishing attack and stole the credentials of one of its employees.
Let me remind you that we also wrote that 2FA system breach on Coinbase leaves at least 6 thousand users robbed, and also that Experts traced DarkSide group bitcoin wallets.As a result of this attack, the hacker was able to obtain “some contact information” belonging to Coinbase employees, but the company stressed that the funds and data of customers are completely safe, their incident did not affect.
The company said that hackers attacked several company employees at once on February 5, using SMS notifications urging victims to log into accounts, ostensibly to read an important message. Although most employees ignored these messages, one of them fell for the scammers’ trick and followed a link to a phishing page where he entered his credentials.
In the next stage of the attack, the attackers tried to break into Coinbase’s internal systems using the stolen information, but failed because access was protected by multi-factor authentication (MFA).
About 20 minutes later, the attackers switched to a different tactic: they called the employee, posing as Coinbase IT specialists, and told the victim to log into their workstation and follow a series of instructions.
CSIRT Coinbase detected unusual activity within approximately 10 minutes of the attack starting and contacted the victim to inquire about the unusual activity on their account. As a result, the employee realized that something suspicious was happening, and stopped communicating with the scammer.
In its report, Coinbase shared some insights about this attack that other companies may find useful in identifying and protecting against similar incidents. So, suspicious should be considered:
- any traffic originating from the company to specific addresses, including sso-*.com, *-sso.com, login.*-sso.com, dashboard-*.com, and *-dashboard.com.
- any downloads or attempts to download certain remote desktop viewers, including AnyDesk and ISL Online;
- any attempts to access the organization through a third party VPN provider, such as Mullvad VPN;
- incoming phone calls and text messages from certain providers, including Google Voice, Skype, Vonage/Nexmo and Bandwidth;
- any unexpected attempts to install certain browser extensions, including EditThisCookie.
Equinix specialist Will Thomas adds that a number of other domains matching the company description may have been used in the attack: sso-cbhq[.]com, sso-cb[.]com and coinbase[.]sso-cloud[.]com.
It is worth noting that this attack is very similar to the work of the 0ktapus hack group, which attacked Twilio and Cloudflare employees in a similar way last year. Let me remind you that at that time, as a result of this large-scale campaign, 9931 accounts were compromised in more than 130 organizations.
