Coinbase employees were the target of a cybersecurity attack on Feb. 5 involving text message scams and impersonation of IT employees, according to a recent report from the company's engineering team. The cryptocurrency exchange said no customers' funds or information were affected.
Late Sunday, several Coinbase employees reportedly received text messages asking them to urgently log in via a provided link to access an important message. Out of good intentions, an employee obeyed the exploiter's instructions: "While most people ignored the unsolicited message - an employee thought it was an important and legitimate message, clicked on the link and entered their username and password. After 'logging in', the employee was prompted to ignore the message message, and thank you for your compliance."
The perpetrators then made multiple attempts to remotely access Coinbase's internal systems using the employees' usernames and passwords, but were unable to pass multi-factor authentication (MFA) security measures.
After the verification failure was automatically blocked, the attacker contacted the employee by phone. According to the report, the attacker claimed to be Coinbase’s IT department and asked the employee for help: "Believing they were talking to a legitimate Coinbase IT employee, the employee logged into their workstation and began following the attacker's instructions. This began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the claims became increasingly suspicious."
Coinbase's Computer Security Incident Response Team (CSIRT) was alerted to unusual activity by its Security Incident and Event Management (SIEM) system. An incident responder contacted the victim via the company's internal messaging system in response to this atypical behavior.
"The employee, realizing that something was terribly wrong, terminated all communication with the attacker," the report said. According to Coinbase, its layered control environment protected customer funds and information, even as some of its personnel information was compromised. The company believes the attack is related to a sophisticated campaign targeting many companies since last year, especially in the United States. Cybersecurity firm Group-IB reported similar phishing attacks targeting Twilio and Cloudflare employees in August as part of a larger campaign that ultimately compromised 9,931 accounts at more than 130 organizations.
Coinbase’s team also noted that its customers and employees are often targeted by fraudsters, and that the solution lies in providing proper training: "Research has repeatedly shown that all people can be fooled eventually, no matter how alert, skilled and prepared they are. We must always assume that bad things will happen. We need to constantly innovate to reduce the effectiveness of these attacks, while working to improve the overall Experience."
