An unknown threat actor went to great lengths to try and compromise the internal systems of one of the world’s most popular cryptocurrency exchanges by using a Cheat attack.
Although the attackers eventually succeeded in compromising the system, they were removed before being allowed to cause any serious harm. According to Coinbase, customer funds as well as customer data are safe and sound.
Initially, the hacker sent five phishing SMS messages to Coinbase employees, asking them to urgently log into the company account and read an important message. The messages contain a link that Impersonation (opens in a new tab) Coinbase corporate login page, but in reality is nothing more than a malicious landing page designed to steal sensitive data.
Protected by MFA
While most employees immediately saw the scam, one did not, and thus provided the hacker with their login information. After logging in, the victim is thanked and prompted to ignore the message. Despite their success in obtaining credentials, there was not much the attackers could do because the account was protected with multi-factor authentication (MFA).
That didn’t stop them, though. They quickly phoned the victim, impersonating the company’s IT department, and asked them to log into the workstation and follow various instructions.
Coinbase explains: “Luckily no funds were taken and no customer information was accessed or viewed, but a limited number of contact information for our employees was obtained. go, namely the employee’s name, email address, and a phone number.”
Coinbase’s CSIRT took about ten minutes to realize the company was being hacked and contact the victim about unusual activity.
At that point, the victim realizes that they are being scammed and stops communicating with the attacker.
While no one can know for sure who is behind this campaign, the campaign follows a similar modus operandi seen in last year’s Scatter Swine/0ktapus scam campaigns.
Earlier, cybersecurity experts from Group-IB said that attackers managed to steal nearly 1,000 company access credentials by sending phishing SMS messages.
Through: BleepingComputer (opens in a new tab)
