In this edition of Max’s Corner Max gets to the bottom of the recent attempt to hack Coinbase and what it means for the industry at large.
Towards the end of this past Spring, a number of people working for Coinbase started receiving emails from Gregory Harris, a research grants administrator from Cambridge University. Harris wanted Coinbase employees to help judge applicants competing for an Economics prize issued by the university. The first emails came in May and a few of the employees that received them responded, and corresponded with Harris about the prize over the course of the following two weeks.
At the start of June, software engineer Robert Heaton received an email from Harris asking for the same thing. The email read:
My name is Gregory Harris. I’m one of the Adam SmithPrize Organizers.
Each year we update the team of independent specialists who could assess the quality of the competing projects: http://people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize
Our colleagues have recommended you as an experienced specialist in this field.
We need your assistance in evaluating several projects for Adam Smith Prize.
Looking forward to receiving your reply.
Best regards, Gregory Harris
In a blog post, Heaton says that he was initially flattered by the email. He is a young programmer who, while fairly accomplished for his age, has not really done anything meriting recognition from Cambridge University as an expert in his field. On some level, Heaton says, he felt that there had been a slip-up and the email had perhaps been sent to the wrong person.
Trying to put the pieces together, Heaton started with some basic security checks. The email he got was sent from a legitimate @cam.ac.uk email address. The link in the email read: http://people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize. By appearance alone, the link checked out. It directs to the same url that the text claims it does, a real Cambridge email. Heaton noticed that the site was hosted on gh327’s personal directory rather than a site belonging to the university’s economics department, but he chalked this up to a more streamlined system of electronic communication on the part of the university.
Heaton followed the link to read up on the Adam Smith Prize, which, as it turns out, consists of two prizes awarded to the best performers on the Part IIB Economics Tripos exams given by Cambridge. The prize, established in 1891 in honor of the Scottish writer and economist of the same name, has a storied history and has been granted to a list of distinguished people, including John Maynard Keynes.
Next Heaton tried to find more information about the administrator that had sent him the email. Searching for Gregory Harris on Google didn’t give him much save a LinkedIn account that seemed to check out. Satisfied that he was dealing with a real Cambridge representative, Heaton responded to the email saying he was interested and asked for more information about what his involvement would require and who recommended him.
Harris responded promptly to the email, writing that Heaton had been recommended by San Francisco State University and that he would be given the descriptions of several projects and the criteria with which to assess them. Heaton wrote back asking if there wasn’t some confusion and the university really meant for the email to be sent to someone else as he had never studied or practised economics before. Harris responded saying that Heaton may be right, and that he would figure out what happened and get back to Heaton.
Harris never got back to Heaton, and Heaton may have forgotten about the whole episode if some time later Coinbase hadn’t had sent him an email warning that his email was on a list of addresses targeted by a phishing attack that had also tried to trick the exchange.
Like Heaton, the Coinbase employees had been convinced enough by the emails to click the links in them and respond to Harris. The links actually led to a site that contained malware that could break out of browser framework and take over a user’s computer if the site was opened in a Firefox browser. The emails were part of an orchestrated effort to take advantage of “zero-day” vulnerabilities discovered on Firefox.
Luckily for the exchange, its security team was able to detect the malware and defuse the situation before the hackers were able to get to any of its funds. However, this attack could have resulted in a loss worth billions of dollars.
To the people involved, this attack was a step above the usual hacker affair. “Zero-day” vulnerabilities are generally not easy to either detect or acquire. Phillip Martin, Coinbase’s chief information security officer, was taken aback by how much the attack would have cost the attackers. “Browser zero-days in general are not cheap,” Martin told MIT’s Technology Review, and even after you have found them it takes a gifted hacker to be able to exploit them. Martin believes that the attack ran from anywhere from $500,000 to $1,000,000.
The first vulnerability that the hackers used had been discovered independently of their efforts by Google’s Project Zero, which concerns itself specifically with detecting these kinds of security risks. The second one stems from a change made to Firefox’s codebase on May 12, which means that the hackers detected it and launched their attack in short time. Since the detection of the malware, Mozilla has issued patches that fix the codebase.
Still, the effort that went into the hack is impressive. Especially on the human resources end. Gregory Harris was a made up administrator with a fairly convincing online profile, and his correspondence with both the exchange employees and Heaton (in addition to everyone else they got to that we don’t know about yet) was committed.
The security expert Martin believes that the people responsible for this attack belong to a collective of cyber criminals called HYDSEVEN that have allegedly been attacking crypto exchanges all over the world since 2016. While the estimated cost of the attack is certainly hefty, the potential reward of such attacks is astronomical. Experts estimate that from similar hacking efforts North Korea has been able to steal upwards of a billion dollars worth of cryptocurrency.
Unfortunately there is not much that can be done to prevent these kinds of attacks outside of what is already being done now. Coinbase was lucky that they were able to detect it when they did as the effects could have been disastrous had the hackers succeeded. Google’s division working to discover vulnerabilities like these should be applauded as should the Coinbase security team for responding in time.
Part of our work at Bytecoin is trying to advance the security protections available to users when using cryptocurrencies. While we combat efforts from outside parties to violate user privacy and steal user funds, not much can be done when attackers trick users into downloading malware. In this space you always have to keep you head on a swivel. If something on the internet or in an email seems, like Heaton suspected, even just a little unmerited, chances are you are being tested. Use the tools you have to keep safe, and be smart. Share this article with your friends so they too are on the lookout for this kind of thing. Thanks for reading.