The security team at cryptocurrency exchange Coinbase has revealed how it countered a sophisticated phishing attack aiming to exfiltrate private keys and passwords.
In a blog post published
on Aug. 8, the exchange outlined its discovery and reporting of the
incident, which involved the exploitation of two 0-day vulnerabilities
on Mozilla’s web browser Firefox.
A “highly-targeted and thought-out” attack
The
first steps of the phishing scam, Coinbase reveals, date back to late
May of this year, when over a dozen exchange employees received an email
from an innocuous-seeming University of Cambridge “Research Grants
Administrator.” Coming from a legitimate Cambridge academic domain, the
email — and similar subsequent emails — passed security filters
undetected.
The emails’ tactics changed, however, by mid-June:
this time, the correspondence contained a URL that, when opened in
Firefox, could install malware on the recipient’s machine.
Coinbase notes that within hours
of this email is received, it successfully detected and cooperated with
other organizations to counter the attack. At the time of the incident,
the exchange had emphasized that it had found no evidence of the
campaign targeting Coinbase customers.
Over 200 individuals in
total, across several — unnamed — organizations other than Coinbase,
were eventually found to have been targeted.
Key takeaways
Coinbase
notes the attackers bode their time, sending multiple
legitimate-seeming emails from compromised academic accounts, all of
which referenced real academic events and were closely tailored to the
specific profiles of phishing targets. After these rounds of
correspondence, they attempted to infect just 2.5% of targets with the
URL hosting the 0-day.
Coinbase’s security response timeline. Source: Coinbase Blog
The
exchange reveals that as soon as both an employee and automated alerts
flagged up the suspicious mid-June email, its response team found a
swift way to counter the threat, capturing the 0-day from the phishing
site while it was still live and in this way aiming to conceal the
response from the attackers’ attention. The blog post adds:
“We
also revoked all credentials that were on the machine, and locked all
the accounts belonging to the affected employee. Once we were
comfortable that we had achieved containment in our environment, we
reached out to the Mozilla security team and shared the exploit code
used in this attack.”
Mozilla, for its part, patched one of the two vulnerabilities by the next day, and the second within that same week.
Last month, Cointelegraph reported
on the arrest of an Israeli citizen who allegedly stole $1.7 billion
worth of cryptocurrency via a phishing campaign targeted at European
users.
source link
