The security team at cryptocurrency exchange Coinbase has revealed how it countered a sophisticated phishing attack aiming to exfiltrate private keys and passwords.
The security team at cryptocurrency exchange Coinbase has revealed how it countered a sophisticated phishing attack aiming to exfiltrate private keys and passwords.
In a blog post published on Aug. 8, the exchange outlined its discovery and reporting of the incident, which involved the exploitation of two 0-day vulnerabilities on Mozilla’s web browser Firefox.
A “highly-targeted and thought-out” attack
The first steps of the phishing scam, Coinbase reveals, date back to late May of this year, when over a dozen exchange employees received an email from an innocuous-seeming University of Cambridge “Research Grants Administrator.” Coming from a legitimate Cambridge academic domain, the email — and similar subsequent emails — passed security filters undetected.
The emails’ tactics changed, however, by mid-June: this time, the correspondence contained a URL that, when opened in Firefox, could install malware on the recipient’s machine.
Coinbase notes that within hours of this email is received, it successfully detected and cooperated with other organizations to counter the attack. At the time of the incident, the exchange had emphasized that it had found no evidence of the campaign targeting Coinbase customers.
Over 200 individuals in total, across several — unnamed — organizations other than Coinbase, were eventually found to have been targeted.
Key takeaways
Coinbase notes the attackers bode their time, sending multiple legitimate-seeming emails from compromised academic accounts, all of which referenced real academic events and were closely tailored to the specific profiles of phishing targets. After these rounds of correspondence, they attempted to infect just 2.5% of targets with the URL hosting the 0-day.
Coinbase’s security response timeline. Source: Coinbase Blog
The exchange reveals that as soon as both an employee and automated alerts flagged up the suspicious mid-June email, its response team found a swift way to counter the threat, capturing the 0-day from the phishing site while it was still live and in this way aiming to conceal the response from the attackers’ attention. The blog post adds:
“We also revoked all credentials that were on the machine, and locked all the accounts belonging to the affected employee. Once we were comfortable that we had achieved containment in our environment, we reached out to the Mozilla security team and shared the exploit code used in this attack.”
Mozilla, for its part, patched one of the two vulnerabilities by the next day, and the second within that same week.
Last month, Cointelegraph reported on the arrest of an Israeli citizen who allegedly stole $1.7 billion worth of cryptocurrency via a phishing campaign targeted at European users.
Source: , CoinTelegraph
Articles listed with Cash Tech News as the author are either general information, or may have been imported from another website, to bring our readers a rich media experience that encompasses articles that we find interesting, as well as those curated by others.
The views and opinions expressed here are for informational purposes only, and should not be confused with professional financial advice. These opinions are solely those of the author and do not necessarily reflect the views of CashTechNews.com. Every investment and trade involves risk. You should conduct your own research, and contact your professional financial advisor before making any investment.
Corrections, feedback, and ideas should be submitted through the website contact form.