Cryptocurrency exchange Coinbase has described how it was targeted by, and foiled, “a sophisticated, highly targeted, thought out attack” aimed to access its systems and presumably to make off with some of the billions of dollars’-worth of cryptocurrency it holds.
In an Aug. 8 blog post that sets out in technical detail how the plot unfolded and how the exchange countered the attempted theft, Coinbase said the hackers used a combination of means to try and hoodwink staff and access vital systems – methods that included spear phishing, social engineering and browser zero-day exploits.
The attack had started on May 30, with a dozen staff being sent emails that purported to be from Gregory Harris, a Research Grants Administrator at the University of Cambridge. Far from random, these cited the employees’ past histories and requested help with judging projects competing for an award.
Coinbase said:“This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients. Over the next couple weeks, similar emails were received. Nothing seemed amiss.”
The attackers developed email conversations with several staffers, holding back from sending any malicious code until June 17, when “Harris” sent another email, containing a URL that, when opened in Firefox, would install malware capable of taking over someone’s machine.
Coinbase said that, “within a matter of hours, Coinbase Security detected and blocked the attack.”
The first stage of the attack, the post indicates, first identified the OS and browser on the intended victims’ machines, displaying a “convincing error” to macOS users who were not using the Firefox browser, and prompting them to install the latest version of the app.
Once the emailed URL was visited with Firefox, the exploit code was delivered from a different domain, that had been registered on May 28. It w...