A sneaky cyber attack has recently surfaced with the aim of deceiving Coinbase employees through fake SMS alerts.
Coinbase is one of the most popular cryptocurrency exchanges on the market today, with over 100 million verified users worldwide.
The attacker targeted several Coinbase engineers on Sunday, February 5 with SMS alerts prompting them to log into corporate accounts them to read an important message.
In the next phase, the attacker attempted to log into Coinbase’s internal systems using the stolen credentials but failed because access was protected by multi-factor authentication (MFA).
About twenty minutes later, the attacker changed his approach. He called the employee pretending to be Coinbase’s IT specialist and told him to log into his computer and follow specific instructions.
Below are the few defending actions shared by the company :
- Any web traffic from the company’s technology assets to specific addresses, including sso-.com, -sso.com, login.-sso.com, dashboard-.com, and *-dashboard.com.
- Any downloads or attempted downloads of specific remote desktop viewers, including AnyDesk (anydesk dot com) and ISL Online (islonline[.]com)
- Any attempts to access the organization from a third-party VPN provider, specifically Mullvad VPN
- Incoming phone calls/text messages from specific providers, including Google Voice, Skype, Vonage/Nexmo, and Bandwidth
- Any unexpected attempts to install specific browser extensions