Compilation | GaryMa Wu on Blockchain
Original link:
https://www.coinbase.com/blog/social-engineering-a-coinbase-case-study
Overview
- LayerZero integrates Google Cloud and then considers should cross-chain rely on oracle or ZK?
- Interview with the Founder of Eclipse Building Solana Rollup on Ethereum
- Backed by an 800 million monthly active user social media giant, will the TON ecosystem be a flash in the pan or a resounding success?
Coinbase recently experienced a cyber attack targeting one of its employees. Fortunately, Coinbase’s network security controls prevented the attacker from directly accessing the system and prevented any financial loss or customer information leakage. Only a portion of data from our company directory was leaked. Coinbase believes in transparency, and we want our employees, customers, and community to understand the details of this attack and share the tactics, techniques, and procedures (TTP) used by the attacker so that everyone can better protect themselves.
Coinbase’s customers and employees are often targeted by scammers. The reason is simple: any form of currency, including cryptocurrencies, is a target for cybercriminals. It’s easy to understand why so many attackers are constantly looking for quick ways to profit.
Dealing with such a large number of attackers and cybersecurity challenges is one of the reasons why I think Coinbase is an interesting workplace. In this article, we will discuss an actual cyber attack and related cybersecurity events that we recently handled at Coinbase. Although I’m pleased to say that in this case, no customer funds or customer information were affected, there are valuable lessons to be learned. At Coinbase, we believe in transparency. By openly discussing such security issues, I believe we can make the entire community safer and more security-conscious.
Our story begins on the evening of Sunday, February 5, 2023. Several employees’ phones started receiving text message alerts indicating that they needed to urgently log in through the provided link to receive important information. While most people ignored this unsolicited message, one employee believed it to be an important legitimate message and clicked on the link, entering their username and password. After “logging in,” the employee was prompted to disregard the message and thanked for their compliance.
What happened next was that the attacker used the legitimate Coinbase employee’s username and password to attempt remote access to Coinbase multiple times. Fortunately, our network security control system was prepared. The attacker was unable to provide the required multi-factor authentication (MFA) credentials and was therefore blocked from entry. In many cases, this would be the end of the story. But this was not an ordinary attacker. We believe this individual is associated with a highly persistent and sophisticated campaign that has been targeting many companies since last year.
Approximately 20 minutes later, our employee’s phone rang. The attacker claimed to be from Coinbase’s Information Technology department and needed the employee’s assistance. Believing they were speaking with a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. This initiated a back-and-forth between the attacker and the increasingly suspicious employee. As the conversation progressed, the requests became increasingly suspicious. Fortunately, no funds were taken, and no customer information was accessed or viewed. However, some limited contact information of our employees was obtained, including employee names, email addresses, and some phone numbers.
Fortunately, our Computer Security Incident Response Team (CSIRT) was able to identify this issue within the first 10 minutes of the attack. Our security incident and management system alerted us to the abnormal activity. Shortly thereafter, our incident responders contacted the victims through the internal Coinbase messaging system to inquire about any abnormal behavior and usage patterns related to their accounts. As soon as the employees realized there was a serious problem, all communication with the attackers was immediately terminated.
Our CSIRT team promptly suspended all access privileges for the affected employees and initiated a comprehensive investigation. Due to our layered control environment, there was no financial loss or leakage of customer information. The cleanup process was relatively quick, but there are still many lessons to be learned.
Anyone can fall victim to social engineering attacks
Humans are social creatures. We desire harmonious relationships and want to be part of a team. If you think you cannot be deceived by a well-planned social engineering attack, you are deceiving yourself. In the right circumstances, almost anyone can become a victim.
The most difficult attacks to resist are direct contact social engineering attacks, just like the one our employees experienced here. Attackers reach out to you directly through social media, your phone, and even worse, by entering your home or place of business. These attacks are not new. In fact, they have been happening since early human history. It is a favorite strategy of the attackers because it is effective.
So what can we do? How do we prevent this from happening?
I would like to say it is simply a training issue. Customers, employees, and everyone needs better training, they need to do better. This statement always holds some truth. But as cybersecurity professionals, this cannot be an excuse every time we encounter such situations. Research has repeatedly shown that everyone can eventually be deceived, no matter how vigilant, skilled, or prepared they are. We must always start from the premise that bad things can happen. We need to continuously innovate to weaken the effectiveness of these attacks while striving to enhance the overall experience of our customers and employees.
Can you share some Tactics, Techniques, and Procedures (TTP)?
Of course. Considering that this attacker is targeting a wide range of companies, we want everyone to know what we know. Here are some specific things we recommend you look for in your Enterprise Log/Security Information and Event Management System (SIEM):
Any web traffic to the following addresses, where * represents your company or organization name:
● sso-*.com
● *-sso.com
● login.*-sso.com
● dashboard-*.com
● *-dashboard.com
Any downloads or attempted downloads of the following remote desktop viewers:
● AnyDesk (anydesk dot com)
● ISL Online (islonline dot com)
Any attempt to access your organization through a third-party VPN service provider (especially Mullvad VPN).
The following service providers for incoming calls/sms:
● Google Voice
● Skype
● Vonage / Nexmo
● Bandwidth dot com
Any attempt to install the following browser extensions:
● EditThisCookie
As a defender of the network, you should expect to see behavior where stolen credentials, cookies, or other session tokens are used to attempt to log in to enterprise applications from VPN services (such as Mullvad). There may also be attempts to enumerate applications that are customer support oriented, such as customer relationship management (CRM) applications or employee directory applications. You may also see behavior where text-based data is copied to free text or file sharing services (such as riseup.net).
These situations are never easy to talk about. It’s embarrassing for employees; it’s frustrating for cybersecurity professionals and management. It’s frustrating for everyone. But as a community, we need to have these discussions more openly. If you are a Coinbase customer, be skeptical of anyone requesting personal information from you. Never share your credentials, never allow anyone remote access to your personal devices, and enable the strongest available forms of authentication. For your Coinbase account, consider using a physical security token to access your account. If you don’t trade frequently, consider our Coinbase Vault solution for an additional layer of protection for your assets.
If you are an employee of Coinbase or any other company with an online presence, you will be targeted. Stay vigilant, especially when someone calls or contacts you. A simple best practice is to hang up and seek help from a trusted phone number or company chat technology. Never provide information or login credentials to someone who contacts you for the first time.
If you are a cybersecurity professional, we know that bad actors will always do bad things. But we should also remember that good people make mistakes, and our best security controls can sometimes fail. Most importantly, we should always be willing to learn and strive to be better. We are all human. That’s a constant factor that (hopefully) will never change.
Stay safe!
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
