Coinbase Attack Used Social Engineering

Coinbase Social Engineering CampaignCoinbase describes a targeted social engineering attack that led to the theft of some employee data. The attacker first sent smishing messages to several Coinbase employees, urging them to click a link and log in to their Coinbase work account. One employee fell for the attack, and the threat actor then attempted to use the victim’s account to gain access to Coinbase’s internal systems. Fortunately, the company’s security solutions prevented this.

Soon afterwards, however, the attacker called the same employee, claiming to work for the company’s IT department.

“About 20 minutes later our employee’s mobile phone rang,” Coinbase says. “The attacker claimed to be from Coinbase corporate Information Technology (IT) and they needed the employee’s help. Believing that they were speaking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. That began a back and forth between the attacker and an increasingly suspicious employee.”

While the attacker was able to glean some employee information from the attack, Coinbase’s security team detected suspicious behavior and alerted the targeted employee.

“As the conversation progressed, the requests got more and more suspicious,” the company says. “Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers.”

Coinbase concludes that anyone can fall victim to a social engineering attack.

“Humans are social creatures,” the company says. “We want to get along. We want to be part of the team. If you think you can’t be fooled by a well executed social engineering campaign - you are kidding yourself. Under the right circumstances nearly anyone can be a victim. The most difficult attack of all to resist is a direct contact social engineering attack, like the one our employee suffered here. This is where the attacker directly contacts you via social media, your mobile phone, or even worse, walks up to your home or place of business. These attacks aren’t new. In fact, these kinds of attacks have certainly been happening since the early days of humanity. It’s a favorite tactic of adversaries everywhere - because it works.”

This attack illustrates the importance of a defense-in-depth strategy with a combination of technical defenses, security policies, and employee training. New-school security awareness training can teach your employees to follow security best practices so they can thwart social engineering attacks.

Coinbase has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews