The U.S. crypto exchange described a minor but sophisticated phishing attack. A year ago, something similar led to crypto's biggest-ever hack of Web3 gaming firm Sky Mavis' Ronin bridge.
Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts
Coinbase has revealed details of a successful but relatively minor phishing attack, in which an employee responded to a text message with a link asking them to log in to their account to receive an important message.
What happened next was a case study of a relatively sophisticated phishing attack foiled by good IT security. But, it's also a reminder of just what can happen when one person is a little incautious — whether with an employer's system or their own digital wallet.
The attack got nothing more than some employee contact information. And yet, a year ago, North Korean hackers used very similar techniques to gain control of the Ronin Network bridge, allowing them to drain some $625 million worth of play-to-earn game Axie Infinity users' funds.
While the attack on gaming firm Sky Mavis was orders of magnitude larger, the bones show more than a few similarities, and why it can happen to anyone.
In the Ronin hack, the infamous Lazarus Group used spear phishing — targeting a senior engineer — and social engineering via a very sophisticated recruitment offer sent through LinkedIn.
That led to a series of in-depth interviews and a generous job offer — contained on a PDF that infected his computer with malware. That gave hackers control of four of nine Ronin blockchain validators. On March 23, after getting a fifth another way, they took control and drained 173,600 ETH and 25.5 million USDC stablecoins.
A Small Crack
The Coinbase employee was the only one of a number targeted to respond to the Sunday IM, but that's all it took, And, it could have been worse, said Coinbase chief information security officer Jeff Lunglhofer in a blog post.
When the Coinbase employee logged in, they were told to ignore the message as the issue had been resolved.
But the hacker now had a legitimate employee's username and password. When they weren't able to log in directly — Coinbase requires multi-factor authentication — the sophisticated phisher took it a step further and called the employee's mobile phone, claiming to be from IT.
After agreeing to help, the employee was run through a number of steps that led to them growing increasingly suspicious. But, the hacker was given access to some minor employee data in the meantime — names, phone numbers and email addresses — but not customer data.
By that time, Lunglhofer said, Coinbase's automated IT security system had noticed the unusual activity and informed the exchange's live IT security, which reached out to the employee via Coinbase's internal messaging system. And the phone call ended.
No harm, no foul and an instructive example. Particularly as you don't have a Computer Security Incident Response Team on your personal wallet or — most likely — on your own corporate IT system like Coinbase does on theirs.
It Can Happen to You
Most notably, Lunglhofer said, the key lesson is that anyone can be social engineered. He pointed out:
"Humans are social creatures. We want to get along. We want to be part of the team. If you think you can't be fooled by a well executed social engineering campaign — you are kidding yourself. Under the right circumstances nearly anyone can be a victim ... It's a favorite tactic of adversaries everywhere — because it works."
Others include never speaking to someone who calls or messages you. Instead, hang up or log off and go in through a company's direct phone system or web portal if the problem could be real, Lunglhofer warned.
"Situations like this are never easy to talk about," he said. "They are embarrassing for the employee, they are frustrating for cybersecurity professionals, and they are frustrating for management. They are just frustrating for everyone. But as a community we need to be more open about issues like this." He added:
"Be suspicious of anyone asking for your personal information. Never share your credentials, never allow anyone to remotely access your personal devices, and enable the strongest form of authentication available to you… [and] consider switching to a physical security token for access to your account."
