[BreachExchange] How a phishing attack thwarted MFA to steal money from Coinbase customers

Wed Oct 6 16:37:41 EDT 2021

https://www.techrepublic.com/article/how-a-phishing-attack-thwarted-mfa-to-steal-money-from-coinbase-customers/

A flaw in Coinbase's setup of SMS-based MFA allowed attackers to compromise
a large number of accounts.

Security experts keep telling us to use multi-factor authentication
whenever possible to better secure our online accounts and credentials. But
what they don't always stress is that the type of MFA you adopt makes a
difference in whether or not you're truly protected. And that lesson was
hammered home through a recent phishing attack that stole money from
Coinbase customers.

Coinbase is the world's second-largest cryptocurrency exchange service,
holding accounts for around 68 million users from more than 100 countries
around the world.

In a recent blog post and an email to affected customers, the company
revealed that a phishing campaign observed between April and early May 2021
gained unauthorized access to the accounts of at least 6,000 customers. The
attackers were able to move funds from Coinbase to their own accounts, thus
stealing a vast amount of money in the form of cryptocurrency.

Impersonating Coinbase, one of the phishing messages told the user that
someone else may have had access to their account, thus prompting Coinbase
to lock it. To unlock their account, the user needed to pass a security
test. A Coinbase-spoofing phishing page then popped up asking the person to
sign in with their login credentials.

After gaining access to the victim's inbox and Coinbase account, the
attackers in some cases used that information to impersonate the user, get
an SMS-based two-factor authentication code and access the person's
Coinbase account. From there, it was a simple matter for the cybercriminal
to scoop up the funds from the victim's account.

To hijack a customer's account, the attackers did need to know the person's
email address, password, and phone number, as well as gain access to their
email inbox. Coinbase said it found no evidence that the attackers got this
information from the company. Rather, phishing attacks were the likeliest
source.

Coinbase added that after it learned of the attack, the company started
working with outside security vendors to remove the domains and websites
used in the phishing campaign. It also alerted the email service providers
most affected by the attack.

In its email to affected customers, Coinbase said it would deposit funds
into their accounts equal to the value of the currency that was stolen. The
company also set up a dedicated phone number—1-844-613-1499—that affected
customers could call with any questions or concerns about the attack.
Further, Coinbase said it would offer free credit monitoring to those who
were affected.

Though the attack worked by tricking users with a phishing message,
Coinbase bears a core level of responsibility.

"As complicated as this hack sounds and is, it is even more astounding how
lax the security protocols were," said Purandar Das, president and
co-founder at encryption-based security provider Sotero. "From letting the
hackers operate for months, letting them steal customers' credentials, to
overriding the MFA, it does not appear that a lot was done right from a
security perspective."

To sign into their Coinbase accounts, customers are prompted to set up a
specific method of two-factor authentication. The choices include an SMS
text message, an authenticator app or a physical security key. But those
who opted for SMS made the wrong choice. In its post, Coinbase admitted to
a flaw in its SMS account recovery process, a flaw that the attackers were
able to exploit to gain access to certain accounts.

Among the various flavors of MFA or 2FA, SMS-based authentication is
considered the least secure and the easiest to thwart. For that reason,
Coinbase is now urging people to adopt one of the other methods,

"Many people choose to use SMS 2FA, because it's linked to a phone number,
rather than to one particular device and is generally the easiest to set up
and to use," Coinbase said. "Unfortunately, that same level of convenience
also makes it easier for persistent attackers to intercept your 2FA codes.
We strongly encourage everyone that currently uses SMS as a secondary
authentication method to upgrade to stronger methods like Google
Authenticator or a security key everywhere it is supported."

Beyond switching to a stronger method of authentication, all Coinbase users
are urged to change their passwords if they haven't already done so.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211006/8134cb9d/attachment.html>