Targeted phishing attacks, it is often said, can be difficult for even the wariest organisations to defend themselves against.
But how difficult?
This week’s detailed post-incident analysis of a recent, highly targeted attack on cryptocurrency exchange Coinbase by its chief information officer Philip Martin offers a glimpse into how good these attacks can be.
We’ll start with the punchline – Coinbase successfully resisted the attack, something we could already have guessed when the company tweeted the news in June that it had come under attack.
That snippet also mentioned that the attack deployed two Firefox zero-days, something that immediately grabbed the interest of news reporters as well as Firefox, which issued patches for CVE-2019-11707 and CVE-2019-11708 after Coinbase reported their use by cybercriminals.
Fending off an attack using a combination of two zero-days is already unusually challenging but, according to Martin, the sophistication of the attack didn’t stop there.
It seems the campaign began on 30 May when around a dozen Coinbase employees received an email from someone claiming to be Gregory Harris, a Research Grants Administrator at the University of Cambridge.
This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients.
The approach was so convincing that even as more emails were received over a two-week period, “nothing seemed amiss.”
Until 17 June at 6:31am (PT), that is, when a new email tuned up that contained a boobytrapped link designed to launch the zero days in Firefox.
One of the small number of individuals who received this became suspicious, which led to a scan of that computer that turned up signs of malevolent activity.
That one of the zero-days was only possible after a Firefox update on 12 May underlines how quickly attackers can find and “weaponize” vulnerabilities (the fact that researcher Samuel Groß discovered one of the flaws in April was, apparently, coincidence).
The most alarming aspect of this attack is surely in how the attackers were able to communicate with the Coinbase employees they set out to socially engineer, for weeks, without raising any red flags.
This saw the attackers select only five targets to use the zero-day exploit against from the 200 they initially targeted.
The emails looked legitimate, as the attackers appear to have either compromised or created two legitimate University of Cambridge email accounts, cloning elements of the University’s website to build their own phishing domain.
The involvement of zero-day exploits might make this campaign sounds like a phishing outlier.
But it’s likely that other almost-as-good campaigns try the same set of tricks against a huge number of companies. It’s unreasonable to expect defenders to keep out every one of them but it is clearly possible with the right culture to minimise the risk.