Coinbase’s security team has revealed that it managed to stop a complex phishing attack that sought to extract user private keys and passwords.
According to the blog post, the first steps of this phishing attack started in late-May this year. In the beginning, more than 12 employees of the exchange received an email claiming to be from Gregory Isaacs, a Research Grants Administrator of the University of Cambridge.
The email came from a real Cambridge University UK domain and passed the security filters undetected. Within a couple of weeks, the employees received more emails, which easily passed security checks as they did not have any malicious content.
However, the attackers soon changed their tactics. On June 17, the employees received another email. Unlike the emails that came before it, this email contained a URL. Upon opening the URL with the Firefox browser, it installed a malware on the recipient’s computer.
The San Francisco based exchange details that the hackers used compromised academic accounts to send emails.
The initial emails referenced legitimate academic events. Also, the hackers customized them to fit specific profiles of phishing targets. The June 17 move attempted to infect only 2.5 percent of the targets with the URL that hosted the 0-day.
Coinbase claims that its system and one of its employees flagged the email as suspicious. The exchange’s security team then worked quickly to stop the threat.
With one employee ending up clicking the sent URL. At that point the exchange says:
“we revoked all credentials that were on the machine, and locked all the accounts belonging to the affected employee.”
Although the firm does not divulge lots of details on how they stopped the phishing attack, afterward, Mozilla fixed one of the vulnerabilities in the following day and dealt with the other one in the same week.