The security team at cryptocurrency exchange Coinbase has revealed how it countered a sophisticated phishing attack aiming to exfiltrate private keys and passwords.
In a blog post published on Aug. 8, the exchange outlined its discovery and reporting of the incident, which involved the exploitation of two 0-day vulnerabilities on Mozilla’s web browser Firefox.
The first steps of the phishing scam, Coinbase reveals, date back to late May of this year, when over a dozen exchange employees received an email from an innocuous-seeming University of Cambridge “Research Grants Administrator.” Coming from a legitimate Cambridge academic domain, the email — and similar subsequent emails — passed security filters undetected.
The emails’ tactics changed, however, by mid-June: this time, the correspondence contained a URL that, when opened in Firefox, could install malware on the recipient’s machine.
Coinbase notes that within hours of this email is received, it successfully detected and cooperated with other organizations to counter the attack. At the time of the incident, the exchange had emphasized that it had found no evidence of the campaign targeting Coinbase customers.
Over 200 individuals in total, across several — unnamed — organizations other than Coinbase, were eventually found to have been targeted.
Coinbase notes the attackers bode their time, sending multiple legitimate-seeming emails from compromised academic accounts, all of which referenced real academic events and were closely tailored to the specific profiles of phishing targets. After these rounds of correspondence, they attempted to infect just 2.5% of targets with the URL hosting the 0-day.
The exchange reveals that as soon as both an employee and automated alerts flagged up the suspicious mid-June email, its response team found a swift way to counter the threat, capturing the 0-day from the phishing site while it was still live and in this way aiming to conceal the response from the attackers’ attention. The blog post adds:
“We also revoked all credentials that were on the machine, and locked all the accounts belonging to the affected employee. Once we were comfortable that we had achieved containment in our environment, we reached out to the Mozilla security team and shared the exploit code used in this attack.”
Mozilla, for its part, patched one of the two vulnerabilities by the next day, and the second within that same week.