Coinbase’s security team has unveiled that it managed to stop a complex phishing attack that sought to extract user private keys and passwords. The firm revealed this news through a blog post on August 8. Reportedly, this incident involved the exploitation of two 0-day vulnerabilities on the Mozilla Firefox browser.
According to the blog post, the first steps of this phishing attack started in late-May this year. In the beginning, more than 12 employees of the exchange received an email claiming to be from Gregory Isaacs, a Research Grants Administrator of the University of Cambridge.
The email came from a real Cambridge academic domain and passed security filters undetected. Over the next several weeks, the employees received more emails, which easily passed security checks as they did not have any malicious content.
However, the attackers soon changed tactics. On June 17, the employees received another email. Unlike the emails that came before it, this email contained a URL. Upon opening the URL with the Firefox browser, it installed malware on the recipient’s computer.
Stopping the Attack
Per Coinbase, the attackers took their sweet time when mapping out the attempted attack. The San Francisco based exchange details that the hackers used compromised academic accounts to send the emails.
The initial emails referenced legitimate academic events. Also, the hackers customized them to fit specific profiles of phishing targets. The June 17 move attempted to infect only 2.5 percent of the targets with the URL that hosted the 0-day.
Coinbase claims that its system and one of its employees flagged the email as suspicious. The exchange’s security team then worked quickly to stop the threat. Reportedly, the team captured the 0-day from the phishing site while it was still live. In so doing, the exchange managed to conceal its response from the attackers
The exchange added,
We also revoked all credentials that were on the machine, and locked all the accounts belonging to the affected employee. Once we were comfortable that we had achieved containment in our environment, we reached out to the Mozilla security team and shared the exploit code used in this attack.
Afterward, Mozilla fixed one of the vulnerabilities in the following day and dealt with the other one in the same week.
This news comes after a report unveiled that authorities had arrested an Israeli man who purportedly stole $1.7 billion worth of crypto via a phishing campaign. The suspect reportedly set up a network of scam sites and stole crypto using malware.
Do you think the current security systems in crypto exchanges are capable of stopping attacks before hackers can steal user funds? Let us know in the comments below.