Bitstamp, a European bitcoin exchange, suffered a breach on January 4th of this year. According to a breach report apparently prepared for Bitstamp, the breach was a result of a determined adversary and a very typical but rookie mistake on the part of a Bitstamp administrator.
The breach cost Bitstamp 18,997 bitcoins worth a little over $5 million. Just because money is digital does not mean it isn’t attractive to bank robbers. The report is attributed to forensics firm Stroz Friedberg, the Secret Service and the U.K.’s cybercrime unit.
The report said that Bitstamp was the victim of a concerted phishing attack against 6 employees. The phishing emails were highly tailored to each of the employees and showed background knowledge on the part of the attackers, according to the report.
The first target was Bitstamp’s CTO, who was offered free tickets to a punk rock concert (he apparently is into punk). All he had to do was click on this link and download a Word document to get his tickets. The Word document had malicious scripting in it, but it appears that it failed to run for some reason.
Over the next few weeks, several more Bitstamp employees received highly customized targeted emails. One was from a journalist, another from a headhunter — supposedly.
None of these attacks worked, apparently, because none of these employees had credentials that would allow the hacker to get to the master bitcoin wallet.
But then a system administrator – who did have the credentials to the “cookie jar” received an email purportedly from the Association for Computing Machinery, supposedly offering him a position in the ACM Honor Society. It was sent to his GMail account. He then had several Skype conversations and received – you guessed it – an application form, which he did open. The rest is history. And $5 million dollars later, there is a lesson to be learned.
DO NOT ACCESS GMAIL, SKYPE OR WORD FROM AN ACCOUNT THAT HAS THE KEYS TO THE KINGDOM.
It’s really a pretty simple lesson and it seems to need to get learned over and over again.
The problem is that having ONE account to do EVERYTHING a user needs to do makes life easy.
If you want easy, retire. Play golf. Watch TV. Sorry, but protecting your firm’s assets could, possibly, be hard.
This attack did not require the hacker to break into Fort Knox. It did not require the hacker to factor super large prime numbers (the basis of public key cryptography). All it required was to learn what key employees “hot buttons” were and to appeal to them. Then the employees just opened the door and let the hackers in. Oh, yeah, and let the money out.
And, don’t use privileged accounts to access GMail. Separation of duties is as old a rule as their is, but people just don’t do it. Because, it is not convenient.
Food For Thought.
Source material for this post came from Data Breach Today.