Coinbase Crypto Exchange Ensnared in ‘Oktapus’-Related Smishing Attack
Threat
actors
targeted
employees
of
cryptocurrency
exchange
Coinbase
in
a
Threat
actors
targeted
employees
of
cryptocurrency
exchange
Coinbase
in
a
smishing
attack
that
exposed
a
“limited
amount”
of
personal
employee
data,
after cyberattackers
bypassed
multifactor
authentication
(MFA)
to gain
direct
access
to
its
corporate
system.
Coinbase
outlined
the
attack
—
which
the
company
believes
is
connected
to
the
previously
identified
Oktapus
campaign that
targeted
several
Okta
employees
with
malicious
SMS
messages
—
in
a
recent
blog
post,
providing
an
in-depth,
step-by-step
account
of
how
it
unfolded,
escalated,
and
was
eventually
thwarted
without
a
major
breach.
One
of
the
employees
who
was
targeted
responded
to
an
attacker’s
SMS
and
gave
up
credentials
to
the
corporate
system;
the
person then
received
a
follow-up
phone
call
attempting
to
gain
access
after
initial
attempts
to
log
in
were
blocked
by
MFA
security.
Coinbase’s
Computer
Security
Incident
Response
Team
(CSIRT)
responded
within
10
minutes
of
the
attack
to
shut
it
down,
preventing
a
far
more
serious
incident,
the
company
said.
The
situation
once
again
demonstrates
how
human
error
remains
a
key
factor
in
the
success
of
cyberattacks,
and
the
risk
that
increasingly
sophisticated
social
engineering
campaigns
pose
to
the
enterprise,
Jeff
Lunglhofer,
Coinbase’s
CISO,
noted
in
the
blog
post.
While
“situations
like
this
are
never
easy
to
talk
about,”
Coinbase
revealed
and
detailed
the
attack
in
the
interest
of
transparency,
as
well
as
to
help
other
organizations
understand
the
potential
risks
from
smishing
in
order
to
protect
themselves
from
similar
incidents,
he
said.
“They
are
embarrassing
for
the
employee,
they
are
frustrating
for
cybersecurity
professionals,
and
they
are
frustrating
for
management,”
Lunglhofer
wrote.
“But
as
a
community
we
need
to
be
more
open
about
issues
like
this.”
What
Happened
in
the
Coinbase
Cyberattack
Coinbase
is
a
cryptocurrency
exchange
with
more
than
1,200
employees
worldwide
and
more
than
108
million
verified
users,
making
it
an
attractive
target
for
financially
motivated
threat
actors,
Lunglhofer
said.
The
recent
attack
occurred
on
Sunday,
Feb.
5,
when
the
mobile
phones
of
several
Coinbase
employees
received
SMS
messages
indicating
that
they
needed
“to
urgently
log
in”
to
their
Coinbase
accounts
via
a
link
“to
receive
an
important
message,”
according
to
the
post.
While
most
of
the
targeted
employees
ignored
the
message,
one
didn’t,
clicking
on
the
link
and
eventually
providing
threat
actors
with
their
username
and
password.
Attackers
then
proceeded
to
log
in
to
the
Coinbase
system
using
the
legitimate
employee
credentials,
but
couldn’t
provide
the
correct
MFA
credentials
and
thus
was
blocked
from
access.
While
many
attacks
would
stop
here,
this
one
didn’t,
most
likely
because
the
attacker
“is
associated
with
a
highly
persistent
and
sophisticated
attack
campaign
that
has
been
targeting
scores
of
companies
since
last
year,”
Lunglhofer
wrote.
That
Okta
attack
spree,
dubbed
Oktapus
by
the
researchers
at
Group-IB
who
discovered
it,
resulted
in
the
compromise
of
9,931
thousand
accounts
of
more
than
130
organizations.
Twenty
minutes
after
the
initial
SMS
message,
the
phone
of
the
compromised
employee
rang.
On
the
line
was
the
attacker,
claiming
to
be
from
Coinbase
corporate
IT
and
in
need
of
the
employee’s
help.
The
employee
once
again
believed
the
request
was
legitimate
and
followed
attacker
instructions,
logging
in
to
the
Coinbase
system
and
responding
to
what
became
increasingly
suspicious
requests
from
the
attacker.
The
employee’s
actions
gave
up
“some
limited
contact
information”
for
Coinbase
employees
—
including
names,
email
addresses,
and
some
phone
numbers
—
but
did
not
expose
any
customer
info
or
other
sensitive
data,
nor
did
the attackers
gain
the
ability
to
steal
Coinbase
crypto,
the
company
said.
Eventually,
Coinbase’s
CSIRT
intervened
and
reached
out
to
the
smishing
victim
to
ask
about
unusual
behavior
and
usage
patterns
associated
with
their
account,
and
the
employee
terminated
communication
with
the
attacker,
he
wrote.
CSIRT
then
suspended
the
employee’s
account
access
and
launched
an
investigation.
Why
“Smishing”
Attacks
Are
Successful
In
this
case,
the
cleanup
after
the
attack
was
“relatively
quick,”
Lunglhofer
said.
However,
the
incident
provides
useful
takeaways
as
to
why
sophisticated,
socially
engineered
phishing
attacks
are
still
so
successful
even
though
they’ve
been
occurring
since
the
emergence
of
the
mainstream
Internet,
and
the
fact
that there’s
broad
awareness
of
them.
One
important
point
to
note
is
that
even
the
savviest
cyber-aware
person
can
be
fooled
by
a
clever,
socially
engineered
attack
because
of
humans’
natural
tendency
to
want
to
“get
along”
and
“be
part
of
the
team,”
Lunglhofer
noted.
“Under
the
right
circumstances
nearly
anyone
can
be
a
victim,”
he
wrote.
Indeed,
research
shows
that
the
human
factor
remains
one
of
the
top
reasons
data
breaches
occur.
This
means
that
using
the
excuse
that
successful
phishing
scams
are
merely
an
employee
“training
problem”
is
a
cop-out,
and
organizations
have
to
put
in
place
a
proactive
cyber-defense
system
that
can
act
quickly
in
the
case
of
employee
compromise,
Lunglhofer
wrote.
Coinbase
provided
a
list
of
the
attackers’
tactics,
techniques,
and
procedures
(TTPs)
to
help
enterprises
prevent
attacks
or
recognize
suspicious
login
attempts
on
the
corporate
system.
In
particular,
login
attempts
to
corporate
applications
from
third-party
VPN
services
should
be
flagged
as
suspicious,
as
they
may
be
using
stolen
credentials,
cookies,
or
other
session
tokens,
Lunglhofer
observed.
About Author
