Breach Response , Data Breach , Fraud

Bitcoin Exchange Hacked With Word Macro

$5 Million Bitstamp Breach Detailed in Unconfirmed Report
Bitcoin Exchange Hacked With Word Macro

Memo to organizations: Do not allow PCs that run software such as Skype and Microsoft Office to connect to a server that hosts your bitcoin wallet.

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

That's one takeaway from a breach report apparently prepared for Bitstamp, a European bitcoin exchange - the company is officially registered in the United Kingdom - that suffered a Jan. 4 breach. The breach resulted in the theft of 18,977 bitcoins, which at the time were worth 4.4 million euros, or $5.3 million (see Bitstamp Back Online After Breach).

Bitstamp did not immediately respond to a request to verify the authenticity of the apparently leaked breach report, dated Feb. 20, which is now circulating online. The report, which is attributed to Bitstamp general counsel George Frost, says that it includes information gathered by digital forensics investigations firm Stroz Friedberg, plus information shared by the U.S. Secret Service and FBI, as well as the "U.K.'s cybercrime unit," which likely means either the National Crime Agency or the City of London Police, which runs the country's largest police fraud squad.

"This is an active investigation," the February report says. "We believe we have identified at least one of the hackers and are baiting a 'honey trap' to lure him into the U.K. in order to make an arrest. Moreover, we need to be very careful not to educate other criminal hackers about how we safeguard our assets and information." To date, however, U.K. police agencies have not announced any related arrests.

A copy of the purported Bitstamp report was first posted July 1 to Reddit by a single-purpose account. It was later added to a dedicated Bitstamp Incident Report site hosted by WordPress.

The report says that Bitstamp was compromised by a phishing attack that targeted six different employees. "All of the phishing messages were highly tailored to the victim, and showed a significant degree of background knowledge on the part of the attacker," the report says. And the attacks continued until the attacker successfully compromised a systems administrator's PC with malware. Crucially, that sysadm had access credentials for Bitstamp's Internet-connected bitcoin repository, or what's known as a "hot wallet."

Targeted Phishing Attack

The attack began with a phishing message, dated Nov. 4, which purported to offer Bitstamp CTO Damian Merlak free tickets to a punk-rock festival, the report says. "Merlak was contacted by Skype account punk.rock.holiday. ... The gambit for this phishing attack was to offer Mr. Merlak free tickets to Punk Rock Holiday 2015. (Merlak is keen on punk rock and has played in a band.)"

The attacker then sent Merlak a "participant form" named "Punk Rock Holiday 2015 TICKET Form1.doc" which included a malicious script written in the Visual Basic for Applications - or VBA - programming language, the report says. When the document was opened in Microsoft Word, the script was designed to execute, and pull a malicious file down to the PC from an external IP address. But the report says that there was no indication that this script ever executed.

The attacker, however, continued to demonstrate "persistent effort," the report says. "Over a period of approximately five weeks, four more Bitstamp employees received similar highly targeted phishing attacks, each tailored to individual interests." For one of those attacks, the hacker posed as a journalist, and in another, a headhunter.

None of those attacks appeared to result in stolen bitcoins, the report notes, in part because none of the targets had access to crucial credentials. But on Dec. 9, systems administrator Luka Kodric - who had access to Bitstamp's hot wallet - received a phishing email to his Gmail account that was spoofed to appear as if it had come from an employee at the Association for Computing Machinery, even though it arrived via the Tor anonymizing network, the report says. Via follow-up discussions over Skype, the supposed ACM employee told Kodric that the association wanted to add him to its international honor society, and sent him an application form, which the report says he opened on Dec. 11, thus compromising his PC. By late December, the attacker appeared to have installed a remote-access Trojan on Kodric's system, accessed Bitstamp's hot wallet, and copied the bitcoin wallet file and passphrase, both of which would have given the attacker direct access to the stored bitcoins.

"On 4 January, the attacker drained the Bitstamp wallet, as evidenced on the blockchain," the report says, referring to the public ledger of all bitcoin transactions. "Although the maximum content of this wallet was 5,000 bitcoins at any one time, the attacker was able to steal over 18,000 bitcoins throughout the day as further deposits were made by customers."

Why Hackers Like Social Engineering

If the report is true, Bitstamp is hardly the first organization that was socially engineered - tricked - in part by attackers who used email or Skype (see Syrian Rebels Hacked Via Skype).

But security experts say this hack attack demonstrates the importance of locking down any system that stores sensitive or valuable information, in the event that employees do get tricked. "The hardest problem in computer security is not putting server credentials on the machine you use to check email," cryptographer Matthew Green, a professor at John Hopkins University, says via Twitter.

The attack also shows how hackers need not bother with advanced attacks, when simple ones will suffice. Indeed, as highlighted on Twitter by the operational security expert known as the Grugq, this concerted phishing campaign, backed by relatively simple malicious macro code, netted one or more attackers millions of dollars. But the Grugq notes that the attack might have been blocked, had Bitstamp protected its servers using two-factor authentication, and ensured that no system that ran email or VoIP software such as Skype could connect to one of the exchange's hot wallets.

Lessons Learned

After the bitcoin theft, the incident report notes that unlike other hacked exchanges such as Mt. Gox, Bitstamp was saved from going under in part because it stored so many of its bitcoins offline, in cold wallets (see Second Bitcoin Exchange Halts Operations).

In the wake of the breach, the incident report notes that Bitstamp quickly hired a forensics investigation team, commissioned a security review, and opted to rebuild the exchange from the ground up. "We have paid out approximately $250,000 to programmers hired to rebuild and improve our platform; paid approximately $250,000 (and counting) to the Stroz Friedberg team; and at least $150,000 more for various security reviews, and legal and financial advice," the report says. "These out of pocket costs are continuing to accrue."

Just six weeks after the bitcoins were stolen, the company had already made a number of security-related changes, the report says. Those included numerous "obvious" fixes such as implementing email and Internet screening software from FireEye, requiring multi-factor authentication to access Bitstamp's hot wallet, ensuring that "any manager's laptop with access to bitcoin deposits or sensitive customer information is highly restricted, and 'single purpose,' i.e. it does not also have capabilities to receive email, engage in Skype calls, or cruise the Internet." The report adds that the firm also planned to acquire insurance for all bitcoin payments, and was working with a technology company called Xapo to better secure its cold wallets by splitting the wallets' addresses into multiple pieces and storing them at a number of secret locations around the world.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network