Coinbase, the US crypto exchange, announced that on February 5, an employee of the exchange was attacked by hackers. Fortunately, Coinbase’s security system detected the abnormality in time and notified the security team. Therefore, this network attack only resulted in the leakage of the names, email addresses, and a small number of phone numbers of some employees, and no customer data was leaked in the attack.
It is worth noting that the hacker not only used phishing, but also used social engineering to obtain the personal information of Coinbase employees in advance and then called to deceive them.
Initially, the hacker sent a message to several targeted Coinbase employees, telling them to log in to their company accounts to check important messages. One employee clicked on the hacker’s link and entered their account and password on the phishing website.
After successfully logging in, the phishing website displayed a prompt stating that the employee could ignore the message and thanked them for complying with the rules.
Next, the hacker repeatedly attempted to remotely access Coinbase using the account and password, but Coinbase employee accounts are verified with 2FA, so it was not possible to log in without the 2FA verification code.
The hacker did not give up in the face of this situation, but instead directly called and pretended to be an employee of Coinbase’s IT team, asking the employee to log in to their account and follow the hacker’s instructions. As the hacker’s demands increased, the employee became increasingly suspicious of the situation. Eventually, Coinbase’s real security team intervened, found the employee, and cut off all of the hacker’s access.
Coinbase did not disclose what the hacker wanted the employee to do, but Coinbase reminded other companies to be vigilant against employees being installed with remote control software such as AnyDesk or ISL Online, and to be vigilant against the installation of the Chrome extension EditThisCookie.
EditThisCookie is a legitimate extension, and it is speculated that the hacker wants the victim to install the extension, log in to their account, and then send the cookie to the hacker so that they can log in to the account without the need for the account and password.
However, Coinbase did not disclose why some data leaked if the hacker did not log in to the account, and it may be that Coinbase is referring to the fact that some employees’ information was already leaked before the attack occurred.