Popular cryptocurrency exchange platform Coinbase has revealed that it experienced a cyber security incident targeting its employees.
The company assured that there has not been any loss of funds or compromise of customer information as its cyber control safely prevented the attacker from obtaining direct access to the network.
There was an exposure of “slender number of data” from the directory, including employee names, some phone numbers and email addresses resulting from the cyber-attack that occurred on February 5, 2023.
A few of the employees were also targeted with a phishing SMS campaign as part of the attack that invited them to log into their company accounts to peruse an important message.
One of the employees did fall prey to the scam as he entered his username and password into a fake login page created by attackers to obtain credentials.
Subsequently, the threat attackers repeatedly attempted to gain remote access to Coinbase.
Multi-factor authentication protection enabled for some accounts led the fake credentials log in attempts into the systems to be unsuccessful.
Undaunted, the attacker made a call to an employee claiming to be from Coinbase’s corporate information technology (IT) team and instructed him to log into his workstation and follow his instructions. The conversation progressed to become more and more suspicious.
Coinbase said it was alerted within the first 10 minutes of the attack and that its incident responders contacted the victim to inquire about suspicious activity from their account, prompting the individual to cut off all communications with the adversary.
Coinbase did not specify the exact instructions the threat actor gave the employee, but urged other companies to look for potential attempts to install remote desktop software such as AnyDesk or ISL Online, as well as a legitimate Google Chrome extension called EditThisCookie.
It also sends out warning against incoming phone calls and text messages from specific providers such as Skype, Google Voice, Bandwidth and Vonage or Nexmo.
It’s important to be wary of any unsolicited messages or requests for personal information, and to verify the authenticity of any messages or requests before responding. If you receive a suspicious message, you should report it to the appropriate authorities and take steps to protect your personal information.
Coinbase further notified that the attack is likely to be related to a sophisticated phishing campaign known as 0ktapus (aka Scatter Swine) that targeted more than 130 companies last year, including Twilio, Cloudflare, MailChimp and Signal.