Coinbase Discloses Its Own Case How Hackers Breached Through Layers of Social Engineering

Coinbase reveals own case of hackers breaching through layers of social engineering.

Compiled by: GaryMa Wu Blockchain

Overview

Coinbase recently experienced a network security attack targeting one of its employees. Fortunately, Coinbase’s network security controls prevented the attacker from accessing the system directly and prevented any financial losses or customer information leaks. Only a portion of the data from our company directory was compromised. Coinbase values transparency and wants our employees, customers, and community to understand the details of this attack and share the tactics, techniques, and procedures (TTP) used by the attacker so that everyone can better protect themselves.

Coinbase’s customers and employees are often targeted by scammers. The reason is simple: any form of currency, including cryptocurrencies, is a target for cybercriminals. It’s easy to understand why so many attackers are constantly looking for quick profit opportunities.

• FriendTech boom temporarily slows down, which simulation platforms are ideal for Web3 social networking?
• Founder Interview Why did Eclipse Architecture choose SolanaVM, Celestia, and Ethereum?
• Messari Friend.tech has over 300,000 users, with a daily revenue exceeding Opensea’s by 6 times, but is it sustainable?

Dealing with such a large number of attackers and cybersecurity challenges is one of the reasons why I believe Coinbase is an interesting workplace. In this article, we will discuss an actual network attack and related network events that we recently dealt with at Coinbase. Although I am pleased to say that in this case, no customer funds or customer information were affected, there are still valuable lessons to be learned. At Coinbase, we believe in transparency. By openly discussing such security issues, I believe we can make the entire community safer and more security-conscious.

Our story begins on the evening of Sunday, February 5, 2023. Several employees’ phones started receiving text message alerts indicating that they needed to urgently log in via the provided link to receive important information. While most people ignored this unsolicited message, one employee thought it was an important legitimate message and clicked on the link, entering their username and password. After “logging in,” the employee was prompted to disregard the message and thanked for their compliance.

What happened next was that the attacker used the legitimate Coinbase employee username and password to attempt remote access to Coinbase multiple times. Fortunately, our network security control system was prepared. The attacker was unable to provide the required multi-factor authentication (MFA) credentials and was therefore blocked from entering. In many cases, this would be the end of the story. But this was no ordinary attacker. We believe this person is involved in a highly persistent and sophisticated attack campaign that has been targeting many companies since last year.

About 20 minutes later, our employee’s phone rang. The attacker claimed to be from Coinbase’s Information Technology department and needed the employee’s assistance. Believing they were talking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. This initiated a back-and-forth between the attacker and the increasingly suspicious employee. As the conversation progressed, the requests became increasingly suspicious. Fortunately, no funds were taken, and no customer information was accessed or viewed. However, some limited contact information of our employees was obtained, including employee names, email addresses, and some phone numbers.

Luckily, our Computer Security Incident Response Team (CSIRT) was able to identify this issue within the first 10 minutes of the attack. Our security incident and management system alerted us to the abnormal activity. Shortly after, our incident responders reached out to the victims through the internal Coinbase messaging system, inquiring about any unusual behavior and usage patterns related to their accounts. Once the employees realized the severity of the issue, they immediately terminated all communication with the attacker.

Our CSIRT team promptly suspended all access privileges for the affected employees and initiated a comprehensive investigation. Due to our layered control environment, there was no financial loss or leakage of customer information. The cleanup process was relatively quick, but there are still many lessons to be learned.

Anyone can fall victim to social engineering attacks

Humans are social creatures. We desire harmonious relationships and to be part of a team. If you believe that you cannot be deceived by a well-planned social engineering attack, then you are deceiving yourself. In the right circumstances, almost anyone can become a victim.

The most difficult attacks to resist are direct contact social engineering attacks, just like the one our employees experienced here. Attackers reach out to you directly through social media, your phone, or even worse, they physically enter your home or business premises. These attacks are not new. In fact, they have been happening since early human history. It is one of the attacker’s favorite strategies because it is effective.

So what can we do? How can we prevent this from happening?

I would say it’s simply a training issue. Customers, employees, and everyone need better training, they need to do better. This statement always holds some truth. But as cybersecurity professionals, it cannot be an excuse every time we encounter such situations. Studies repeatedly show that everyone can eventually be deceived, no matter how vigilant, skilled, and prepared they are. We must always start from the premise that bad things can happen. We need to constantly innovate to weaken the impact of these attacks while striving to improve the overall experience of our customers and employees.

Can you share some Tactics, Techniques, and Procedures (TTP)?

Of course. Given that this attacker is targeting a wide range of companies, we want everyone to know what we know. Here are some specific items we recommend you look for in your enterprise logs/Security Information and Event Management System (SIEM):

Any web traffic to the following addresses, where * represents your company or organization name:

● sso-*.com

● *-sso.com

● login.*-sso.com

● dashboard-*.com

● *-dashboard.com

Any downloads or attempted downloads of the following remote desktop viewers:

● AnyDesk (anydesk dot com)

● ISL Online (islonline dot com)

Any attempt to access your organization through a third-party VPN service provider (especially Mullvad VPN).

The following service providers for calls/sms:

● Google Voice

● Skype

● Vonage / Nexmo

● Bandwidth dot com

Any attempt to install the following browser extensions:

● EditThisCookie

As a network defender, you should expect to see behavior that involves attempting to log into enterprise applications using stolen credentials, cookies, or other session tokens from VPN services (such as Mullvad). There may also be attempts to enumerate applications that are used for customer support, such as customer relationship management (CRM) applications or employee directory applications. You may also see attempts to copy text-based data to free text or file sharing services (such as riseup.net).

These situations are never easy to talk about. It is embarrassing for employees, frustrating for cybersecurity professionals and management, and just plain frustrating for everyone. But as a community, we need to have more open discussions about these issues. If you are a customer of Coinbase, be skeptical of anyone asking for your personal information. Never share your credentials, never allow anyone remote access to your personal devices, and enable the strongest available forms of authentication. Consider using a physical security token to access your Coinbase account. If you do not trade frequently, consider our Coinbase Vault solution for an extra layer of protection for your assets.

If you are an employee of Coinbase or any other company with an online presence, you will be targeted. Stay vigilant, especially when someone calls or contacts you. A simple best practice is to hang up and seek help using a trusted phone number or company chat technology. Never provide information or login credentials to someone who contacts you for the first time.

If you are a cybersecurity professional, we know that bad actors will always do bad things. But we should also remember that good people can make mistakes and our best security controls can sometimes fail. Most importantly, we should always be willing to learn and strive to be better. We are all human. That is a constant factor that (hopefully) will never change.

Stay safe!

We will continue to update Blocking; if you have any questions or suggestions, please contact us!