Popular
cryptocurrency
exchange
platform
Coinbase
disclosed
that
it
experienced
a
cybersecurity
attack
that
targeted
its
employees.
The
company
said
its
“cyber
controls
prevented
the
attacker
from
gaining
direct
system
access
and
prevented
any
loss
of
funds
or
compromise
of
customer
information.”
The
incident,
which
took
place
on
February
5,
2023,
resulted
in
the
exposure
of
a
“limited
amount
of
data”
from
its
directory,
including
employee
names,
e-mail
addresses,
and
some
phone
numbers.
As
part
of
the
attack,
several
employees
were
targeted
in
an
SMS
phishing
campaign
urging
them
to
sign
in
to
their
company
accounts
to
read
an
important
message.
One
employee
is
said
to
have
fallen
for
the
scam,
who
entered
their
username
and
password
in
a
fake
login
page
set
up
by
the
threat
actors
to
harvest
the
credentials.
“After
‘logging
in,’
the
employee
is
prompted
to
disregard
the
message
and
thanked
for
complying,”
the
company
said.
“What
happened
next
was
that
the
attacker
[…]
made
repeated
attempts
to
gain
remote
access
to
Coinbase.”
These
attempts
to
log
in
to
the
systems
using
the
captured
credentials
proved
to
be
unsuccessful
owing
to
the
multi-factor
authentication
protections
that
were
enabled
for
the
account.
Undeterred,
the
threat
actor
called
the
employee
claiming
to
be
from
the
Coinbase
corporate
Information
Technology
(IT)
team
and
directed
the
individual
to
log
into
their
workstation
and
follow
a
set
of
instructions.
“That
began
a
back
and
forth
between
the
attacker
and
an
increasingly
suspicious
employee,”
Coinbase
explained.
“As
the
conversation
progressed,
the
requests
got
more
and
more
suspicious.”
The
company
said
it
was
alerted
within
the
first
10
minutes
of
the
attack
and
that
its
incident
responders
reached
out
to
the
victim
to
inquire
about
the
suspicious
activity
from
their
account,
prompting
the
person
to
sever
all
communications
with
the
adversary.
Coinbase
did
not
elaborate
on
the
exact
instructions
the
threat
actor
gave
to
the
employee,
but
urged
other
companies
to
be
on
the
lookout
for
potential
attempts
to
install
remote
desktop
software
such
as
AnyDesk
or
ISL
Online
as
well
as
a
legitimate
Google
Chrome
extension
called
EditThisCookie.
It
also
warned
of
incoming
phone
calls
and
text
messages
from
specific
providers
like
Google
Voice,
Skype,
Vonage/Nexmo,
and
Bandwidth.
Coinbase
further
noted
that
the
attack
is
likely
linked
to
the
sophisticated
phishing
campaign
known
as
0ktapus
(aka
Scatter
Swine)
that
targeted
over
130
companies,
including
Twilio,
Cloudflare,
MailChimp,
and
Signal,
among
others,
last
year.
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.
About Author
