That`s one takeaway from a breach report apparently prepared for Bitstamp, a European bitcoin exchange - the company is officially registered in the United Kingdom - that suffered a Jan. 4 breach. The breach resulted in the theft of
18,977 bitcoins, which at the time were worth 4.4 million euros, or $5.3 million (see Bitstamp Back Online After Breach).
Bitstamp did not immediately respond to a request to verify the authenticity of the apparently leaked breach report, dated Feb. 20, which is now circulating online. The report, which is attributed to Bitstamp general counsel George Frost, says that it includes information gathered by digital forensics investigations firm Stroz Friedberg, plus information shared by the U.S. Secret Service and FBI, as well as the `U.K.`s cybercrime unit,` which likely means the National Crime Agency.
`This is an active investigation,` the February report says. `We believe we have identified at least one of the hackers and are baiting a `honey trap` to lure him into the U.K. in order to make an arrest. Moreover, we need to be very careful not to educate other criminal hackers about how we safeguard our assets and information.` To date, however, U.K. police agencies have not announced any related arrests.
A copy of the purported Bitstamp report was first posted July 1 to Reddit by a single-purpose account. It was later added to a dedicated Bitstamp Incident Report site hosted by WordPress.
The report says that Bitstamp was compromised by a phishing attack that targeted six different employees. `All of the phishing messages were highly tailored to the victim, and showed a significant degree of background knowledge on the part of the attacker,` the report says. And the attacks continued until the attacker successfully compromised a systems administrator`s PC with malware. Crucially, that sysadm had access credentials for Bitstamp`s Internet-connected bitcoin repository, or what`s known as a `hot wallet.`
Targeted Phishing Attack
The attack began with a phishing message, dated Nov. 4, which purported to offer Bitstamp CTO Damian Merlak free tickets to a punk-rock festival, the report says. `Merlak was contacted by Skype account punk.rock.holiday. ... The gambit for this phishing attack was to offer Mr. Merlak free tickets to Punk Rock Holiday 2015. (Merlak is keen on punk rock and has played in a band.)`
The attacker then sent Merlak a `participant form` named `Punk Rock Holiday 2015 TICKET Form1.doc` which included a malicious script written in the Visual Basic for Applications - or VBA - programming language, the report says. When the document was opened in Microsoft Word, the script was designed to execute, and pull a malicious file down to the PC from an external IP address. But the report says that there was no indication that this script ever executed.
The attacker, however, continued to demonstrate `persistent effort,` the report says. `Over a period of approximately five weeks, four more Bitstamp employees received similar highly targeted phishing attacks, each tailored to individual interests.` For one of those attacks, the hacker posed as a journalist, and in another, a headhunter.
Read original article
No comments:
Post a Comment