Third-party mass email service SendGrid has been used to attack the Coinbase Bitcoin exchange.
SendGrid is used by 180,000 companies to send 14 billion emails per month, including for Uber, Pinterest, Spotify and Foursquare. As such, it offers an easy path to target-rich environments for phishing artists that are able to get hold of an account to send out legitimate-looking mails en masse.
No Bitcoin were stolen from Coinbase, and in a statement, SendGrid downplayed the incident as a bit of a fluke: “From SendGrid’s perspective, this appears to be an isolated attack on one SendGrid customer.”
It’s unclear how the account compromise occurred in this case, but SendGrid also pointed out that it’s not alone in being targeted. “We are aware that users of other Bitcoin related businesses have been targeted this week with phishing attacks via multiple email service providers,” the company said.
However, in March 2014, ChunkHost, a cloud service provider that accepts Bitcoin, called out SendGrid specifically for not having tight enough security policies. It too was targeted by hackers through its SendGrid account: An attacker was able to social-engineer a SendGrid technician over the phone to change the company’s account information, take control of the account, and reset passwords for two ChunkHost clients. It was a bid to steal Bitcoin wallets from those clients, and it too failed because both targets had two-factor authentication enabled.
“The hackers were hoping to borrow legitimacy from SendGrid for their phishing attempts, and doing so at a very large scale,” Jean-Philippe Taggart, senior security researcher at Malwarebytes Labs, told us. “This is proof again that although an old vector, email can still yield good results from an attacker’s perspective.”
The old adage about public health practices is applicable here, according to Mike Lloyd, CTO at RedSeal.
“The watch-word for the SendGrid breach is ‘interdependence,’” he said in an email. “In the online world, we may think we’re dealing with one company, but we’re actually dealing with them and every other company they choose to deal with. This makes an ever-widening attack surface.”
For instance, when a person visits a website, she’s also visiting with a variety of other organizations who may provide ads, services, traffic monitoring or any other legitimate services.
“One recent study of a popular news site showed that reading a simple news story meant your browser spoke to 38 distinct hosts, spread across no less than 20 different organizational domains,” Lloyd said. “The problem is that this array of services is very large, and a chain is only as strong as its weakest link. Attackers only need to find one weak point to start an attack.”
Considering that Bitcoin is continuing to be an attractive target (they’re easy to move, and untraceable), it would be wise—as it is with every other aspect of online life—to enable tools like two-factor authentication and every other security measure possible.
“Luckily, compromised users [at ChunkHost] were utilizing two factor authentication, which prevented attackers from stealing the Bitcoins,” Taggart said. “Our digital world, while appearing safe and friendly on the outside, is often very chaotic and dangerous, especially to users who put their entire life and well-being in the metaphorical hands of computer networks. “