Coinbase Crypto Exchange Caught in ‘Oktapus’ Related Smishing Attack

Threat actors targeted employees at cryptocurrency exchange Coinbase in a smear attack that exposed a “limited amount” of personal employee data, after attackers bypassed multi-factor authentication (MFA) to gain direct access to the company’s system.

Coinbase outlined the attack — which the company believes is linked to the previously identified Oktapus campaign that targeted several Okta employees with malicious SMS messages — in a recent blog post, which provided an in-depth, step-by-step account of how it unfolded, escalated, and was finally thwarted without major breach.

One of the employees who was targeted responded to an attacker’s SMS and gave up credentials to the corporate system; the person then received a follow-up phone call attempting to gain access after initial attempts to log in were blocked by Foreign Ministry security. Coinbase’s Computer Security Incident Response Team (CSIRT) responded within 10 minutes of the attack to shut it down, preventing a far more serious incident, the company said.

The situation once again shows how human error remains a key factor in the success of cyber attacks, and the risk that increasingly sophisticated social engineering campaigns pose to the enterprise, Jeff Lunglhofer, Coinbase’s CISO, noted in the blog post.

Although “situations like this are never easy to talk about,” Coinbase disclosed and detailed the attack in the interest of transparency, as well as to help other organizations understand the potential risks of smishing to protect themselves against similar incidents, he said.

“They’re embarrassing for the employee, they’re frustrating for cybersecurity professionals, and they’re frustrating for management,” Lunglhofer wrote. “But as a society we need to be more open about issues like this.”

What happened in the Coinbase cyber attack

Coinbase is a cryptocurrency exchange with more than 1,200 employees worldwide and more than 108 million verified users, making it an attractive target for financially motivated threat actors, Lunglhofer said.

The recent attack occurred on Sunday, February 5, when the cellphones of several Coinbase employees received text messages indicating that they needed to “urgently log in” to their Coinbase accounts via a link “to receive an important message,” according to the Post.

While most of the targeted employees ignored the message, one did not, clicking the link and ultimately giving the threat actors their username and password. Attackers then proceeded to log into the Coinbase system using legitimate employee credentials, but were unable to provide the correct MFA credentials and were thus blocked from access.

While many attacks would stop here, this one did not, most likely because the attacker “is associated with a very persistent and sophisticated attack campaign that has been targeting many companies since last year,” Lunglhofer wrote. The Okta attack, dubbed Oktapus by the researchers at Group-IB who discovered it, resulted in the compromise of 9,931,000 accounts of more than 130 organizations.

Twenty minutes after the first text message, the compromised employee’s phone rang. On the line was the attacker, who claimed to be from Coinbase corporate IT and needed the employee’s help. The employee once again believed the request to be legitimate and followed the attacker’s instructions, logging into the Coinbase system and responding to what became increasingly suspicious requests from the attacker.

The employee’s actions provided “some limited contact information” for Coinbase employees — including names, email addresses and some phone numbers — but did not expose any customer information or other sensitive data, nor did the attackers have the ability to steal Coinbase crypto, the company said.

Ultimately, Coinbase’s CSIRT intervened and reached out to the smishing victim to inquire about unusual behavior and usage patterns related to their account, and the employee terminated communications with the attacker, he wrote. The CSIRT subsequently suspended the employee’s account access and launched an investigation.

Why “Smishing” Attacks Are Successful

In this case, the cleanup after the attack was “relatively quick,” Lunglhofer said. However, the incident provides useful hints as to why sophisticated, socially engineered phishing attacks continue to be so successful, even though they have been occurring since the rise of the mainstream Internet, and the fact that there is widespread awareness of them.

An important point to note is that even the most cyber-savvy person can be fooled by a clever, socially engineered attack due to the natural tendency of humans to want to “get along” and “be part of the team,” noted Pulmonary lobes. “Under the right circumstances, almost anyone can become a victim,” he wrote.

In fact, research shows that the human factor is still one of the main reasons why data breaches occur. This means that using the excuse that successful phishing scams are just a “training issue” for employees is a cop-out, and organizations need to put in place a proactive cyber defense system that can act quickly in the event of employee compromise, Lunglhofer wrote.

Coinbase provided a list of attacker tactics, techniques and procedures (TTP) to help businesses prevent attacks or recognize suspicious login attempts on their corporate system. In particular, login attempts to enterprise applications from third-party VPN services should be flagged as suspicious, as they may use stolen credentials, cookies or other session tokens, Lunglhofer observed.