Threat actors targeted employees of cryptocurrency exchange Coinbase in a smishing attack that exposed a “limited amount” of personal employee data, after cyberattackers bypassed multifactor authentication (MFA) to gain direct access to its corporate system.
Coinbase outlined the attack — which the company believes is connected to the previously identified Oktapus campaign that targeted several Okta employees with malicious SMS messages — in a recent blog post, providing an in-depth, step-by-step account of how it unfolded, escalated, and was eventually thwarted without a major breach.
One of the employees who was targeted responded to an attacker’s SMS and gave up credentials to the corporate system; the person then received a follow-up phone call attempting to gain access after initial attempts to log in were blocked by MFA security. Coinbase’s Computer Security Incident Response Team (CSIRT) responded within 10 minutes of the attack to shut it down, preventing a far more serious incident, the company said.
The situation once again demonstrates how human error remains a key factor in the success of cyberattacks, and the risk that increasingly sophisticated social engineering campaigns pose to the enterprise, Jeff Lunglhofer, Coinbase’s CISO, noted in the blog post.
While “situations like this are never easy to talk about,” Coinbase revealed and detailed the attack in the interest of transparency, as well as to help other organizations understand the potential risks from smishing in order to protect themselves from similar incidents, he said.
“They are embarrassing for the employee, they are frustrating for cybersecurity professionals, and they are frustrating for management,” Lunglhofer wrote. “But as a community we need to be more open about issues like this.”
What Happened in the Coinbase Cyberattack
Coinbase is a cryptocurrency exchange with more than 1,200 employees worldwide and more than 108 million verified users, making it an attractive target for financially motivated threat actors, Lunglhofer said.
The recent attack occurred on Sunday, Feb. 5, when the mobile phones of several Coinbase employees received SMS messages indicating that they needed “to urgently log in” to their Coinbase accounts via a link “to receive an important message,” according to the post.
While most of the targeted employees ignored the message, one didn’t, clicking on the link and eventually providing threat actors with their username and password. Attackers then proceeded to log in to the Coinbase system using the legitimate employee credentials, but couldn’t provide the correct MFA credentials and thus was blocked from access.
While many attacks would stop here, this one didn’t, most likely because the attacker “is associated with a highly persistent and sophisticated attack campaign that has been targeting scores of companies since last year,” Lunglhofer wrote. That Okta attack spree, dubbed Oktapus by the researchers at Group-IB who discovered it, resulted in the compromise of 9,931 thousand accounts of more than 130 organizations.
Twenty minutes after the initial SMS message, the phone of the compromised employee rang. On the line was the attacker, claiming to be from Coinbase corporate IT and in need of the employee’s help. The employee once again believed the request was legitimate and followed attacker instructions, logging in to the Coinbase system and responding to what became increasingly suspicious requests from the attacker.
The employee’s actions gave up “some limited contact information” for Coinbase employees — including names, email addresses, and some phone numbers — but did not expose any customer info or other sensitive data, nor did the attackers gain the ability to steal Coinbase crypto, the company said.
Eventually, Coinbase’s CSIRT intervened and reached out to the smishing victim to ask about unusual behavior and usage patterns associated with their account, and the employee terminated communication with the attacker, he wrote. CSIRT then suspended the employee’s account access and launched an investigation.
Why “Smishing” Attacks Are Successful
In this case, the cleanup after the attack was “relatively quick,” Lunglhofer said. However, the incident provides useful takeaways as to why sophisticated, socially engineered phishing attacks are still so successful even though they’ve been occurring since the emergence of the mainstream Internet, and the fact that there’s broad awareness of them.
One important point to note is that even the savviest cyber-aware person can be fooled by a clever, socially engineered attack because of humans’ natural tendency to want to “get along” and “be part of the team,” Lunglhofer noted. “Under the right circumstances nearly anyone can be a victim,” he wrote.
Indeed, research shows that the human factor remains one of the top reasons data breaches occur. This means that using the excuse that successful phishing scams are merely an employee “training problem” is a cop-out, and organizations have to put in place a proactive cyber-defense system that can act quickly in the case of employee compromise, Lunglhofer wrote.
Coinbase provided a list of the attackers’ tactics, techniques, and procedures (TTPs) to help enterprises prevent attacks or recognize suspicious login attempts on the corporate system. In particular, login attempts to corporate applications from third-party VPN services should be flagged as suspicious, as they may be using stolen credentials, cookies, or other session tokens, Lunglhofer observed.