Social Engineering “Smishing” Attack on Coinbase

Coinbase and other crypto platforms are frequently targeted by fraudsters. That’s because currency in any form is what cybercriminals are looking to get their hands on. Last week, Coinbase dealt with an interesting social engineering hacking attempt that fortunately did not impact customer data or funds. 

On Feb. 5, several employee mobile phones received SMS messages indicating that they need to urgently log in via a provided link to receive an important message. While most employees ignored the message, one employee fell for the ploy, clicked the link, and entered their login credentials. After “logging in”, the employee was thanked for complying.  

The attacker, now equipped with a legit set of Coinbase employee credentials, attempted to remotely access Coinbase’s system. Thanks to MFA controls, the attack was prevented from gaining access.  

That didn’t stop the attacker.

About 20 minutes later the same employee received a call from an impersonated CoinbaseIT department with a request to log in to their workstation and follow some technical instructions. The employee, at this point, was growing increasingly suspicious and didn’t provide any more sensitive information besides some leaked employee names, e-mail addresses, and phone numbers that had already been provided. 

The Coinbase Computer Security Incident Response Team (CSIRT) was on top of this issue within the first 10 minutes of the attack.  

One important lesson to be learned from this episode is that the most cyber-savvy person can be tricked by a crafty, socially engineered attack because people naturally want to “get along” and “be part of the team,” says Lunglhofer, Coinbase’s CISO. This episode teaches us this vital lesson. “Under the right circumstances nearly anyone can be a victim,” he wrote.

What To Look Out For

Here’s a list of the attackers’ tactics, techniques, and procedures (TTPs) provided by Coinbase to help enterprises prevent attacks or recognize suspicious login attempts on the corporate system: 

  • Any traffic to SSO (single sign-on) providers. Here are some examples of suspicious domains, where the asterisk * represents your company name:
    • sso-*.com
    • *
    • login.*
    • dashboard-*.com
    • *
  • Any downloads or attempted downloads of the following remote desktop viewers:
    • AnyDesk
    • ISL Online
  • Any attempts to access your organization from a third-party VPN provider, specifically Mullvad VPN.
  • Incoming phone calls/text messages from providers like Google Voice, Skype, and Vonage.
  • Any unexpected attempts to install the EditThisCookie browser extension.

Stay safe!

Skip to content