Coinbase reveals its case: how hackers breached through "social engineering" step by step

Original Title: Social Engineering - A Coinbase Case Study

Original Author: Coinbase

Original Compiler: GaryMa, Wu Says Blockchain

Overview

Coinbase recently experienced a cybersecurity attack targeting one of its employees. Fortunately, Coinbase's cybersecurity controls prevented the attacker from directly accessing the system and stopped any loss of funds or customer information. Only a portion of data from our company directory was leaked. Coinbase firmly believes in transparency, and we want our employees, customers, and community to understand the details of this attack and share the tactics, techniques, and procedures (TTP) used by the attacker so that everyone can better protect themselves.

Coinbase's customers and employees are often targets for scammers. The reason is simple: any form of currency, including cryptocurrency, is a target pursued by cybercriminals. It is easy to understand why so many attackers are constantly looking for quick ways to profit.

Dealing with such a multitude of attackers and cybersecurity challenges is one of the reasons I find Coinbase to be an interesting workplace. In this article, we will discuss a real cyber attack and related cyber incident that we recently dealt with at Coinbase. While I am very pleased to say that no customer funds or customer information were affected in this case, there are still valuable lessons to be learned. At Coinbase, we believe in transparency. By openly discussing such security issues, I believe we can make the entire community safer and more security-aware.

Our story begins late on Sunday, February 5, 2023. Several employees' phones began to receive text alerts indicating that they needed to urgently log in via a provided link to receive important information. While most people ignored this unsolicited message, one employee thought it was an important legitimate message, clicked the link, and entered their username and password. After "logging in," the employee was prompted to disregard the message and thanked for their compliance.

What happened next was that the attacker used the legitimate Coinbase employee's username and password to attempt to remotely access Coinbase multiple times. Fortunately, our cybersecurity control systems were prepared. The attacker could not provide the required multi-factor authentication (MFA) credentials and was therefore blocked from entry. In many cases, this would be the end of the story. But this was not an ordinary attacker. We believe this individual is associated with a highly persistent and sophisticated attack campaign that has been targeting many companies since last year.

About 20 minutes later, our employee's phone rang. The attacker claimed to be from Coinbase's IT department and needed the employee's assistance. Believing they were speaking with a legitimate Coinbase IT staff member, the employee logged into their workstation and began to follow the attacker's instructions. This initiated a back-and-forth between the attacker and the increasingly suspicious employee. As the conversation progressed, the requests became more dubious. Fortunately, no funds were taken, and no customer information was accessed or viewed, but some limited contact information of our employees was obtained, including employee names, email addresses, and some phone numbers.

Fortunately, our Computer Security Incident Response Team (CSIRT) was aware of the issue within the first 10 minutes of the attack. Our security incident and management system alerted us to the abnormal activity. Shortly thereafter, our incident responders contacted the victim through the internal Coinbase messaging system to inquire about some unusual behaviors and usage patterns related to their account. Once the employee realized there was a serious problem, they immediately terminated all communication with the attacker.

Our CSIRT team promptly suspended all access for the affected employee and initiated a comprehensive investigation. Thanks to our layered control environment, there was no loss of funds, nor was there any leakage of customer information. The cleanup was relatively swift, but there were still many lessons to be learned.

Anyone Can Be a Victim of Social Engineering Attacks

Humans are social animals. We want to get along and be part of a team. If you think you cannot be deceived by a well-crafted social engineering attack, you are deceiving yourself. In the right circumstances, almost anyone can become a victim.

The hardest attacks to resist are direct-contact social engineering attacks, like the one our employee experienced here. Attackers reach out directly through social media, your phone, or worse, walk into your home or business to contact you. These attacks are not new. In fact, they have been occurring since the early days of humanity. This is one of the attackers' favorite strategies because it is effective.

So What Can We Do? How Can We Prevent This from Happening?

I would like to say this is just a training issue. Customers, employees, and everyone need better training; they need to do better. There is always some truth to this statement. But as cybersecurity professionals, this cannot be our excuse every time we encounter such situations. Research repeatedly shows that everyone can ultimately be deceived, no matter how vigilant, skilled, and prepared they are. We must always start from the premise that bad things can happen. We need to continuously innovate to mitigate the effects of these attacks while striving to improve the overall experience for our customers and employees.

Can You Share Some Tactics, Techniques, and Procedures (TTP)?

Certainly. Given that this attacker is targeting a wide range of companies, we want everyone to know what we know. Here are some specific items we recommend you look for in your enterprise logging/security information and event management (SIEM) systems:

Any web traffic from your technical assets to the following addresses, where * represents your company or organization name:

• sso-*.com
• *-sso.com
• login.*-sso.com
• dashboard-*.com
• *-dashboard.com

Any downloads or attempts to download the following remote desktop viewers:

• AnyDesk (anydesk dot com)
• ISL Online (islonline dot com)

Any attempts to access your organization through third-party VPN service providers (especially Mullvad VPN).

Incoming calls/texts from the following service providers:

• Google Voice
• Skype
• Vonage / Nexmo
• Bandwidth dot com

Any unexpected behavior attempting to install the following browser extension:

• EditThisCookie

As a network defender, you should expect to see behavior attempting to log into enterprise applications using stolen credentials, cookies, or other session tokens from VPN services (e.g., Mullvad). There may also be attempts to enumerate customer support-facing applications, such as customer relationship management (CRM) applications or employee directory applications. You may also see attempts to copy text-based data to free text or file-sharing services (e.g., riseup.net).

Discussing such situations is never easy. For employees, it is embarrassing; for cybersecurity professionals and management, it is frustrating. It is frustrating for everyone. But as a community, we need to discuss these issues more openly. If you are a Coinbase customer, be skeptical of anyone asking you for personal information. Never share your credentials, never allow anyone to remotely access your personal devices, and enable the strongest authentication methods available. For your Coinbase account, consider using a physical security token to access your account. If you do not trade frequently, consider using our Coinbase Vault solution to provide an extra layer of protection for your assets.

If you are an employee of Coinbase or any other company with an online presence, you will be targeted. Stay vigilant, especially when someone calls or contacts you. A simple best practice is to hang up and seek help using a trusted phone number or company chat technology. Never provide information or login credentials to someone who contacts you for the first time.

If you are a cybersecurity professional, we know that bad actors will always do bad things. But we should also remember that good people can make mistakes, and our best security controls may sometimes fail. Most importantly, we should always be willing to learn and strive to improve. We are all human. This is a constant that (hopefully) will never change.

Stay safe!