Coinbase was the Target in SendGrid Compromise
For the second time in two years, SendGrid was compromised for the specific purpose of targeting a Bitcoin company. This time, the target was the exchange Coinbase, whose customers received an e-mail this week that said:
We’re happy to announce a new product – Coinbase Invest Fund, reliable platform for small and medium scale investments. Fund assets are diversified among emerging Forex positions at Coinbase Exchange. Deposits are risk-free insured by institutions such as the New York Stock Exchange.
Want to become a professional investor? Our first short-term investment program starts today – GET 150% FOR A 10-DAY DEPOSIT.
Investment offer is active from 20th of April 12:00 AM Pacific until 30th of April. Coinbase offers you a fixed return with a 50% growth for a 10 day period. You can deposit today from $100. Maximum deposit amount per one person or legal entity is 60 Bitcoins. That’s an astonishing opportunity to earn up to $8,500 per 10 days!
Investors who want to apply, please make a deposit to
1LLkNuQQ2GkS5DmQzsTxCmErUH8ew6dnDi or click the link below
Once a payment is made you will get an e-mail about successful participation. Please note: Initial deposit amounts exceeding +30 Bitcoins will qualify your membership for a 2nd level upgrade.
We will return your initial deposit with dividends on 1st of May, 2015 12:00 AM Pacific Time. (for example: investing 10 Bitcoins today will return 15 Bitcoins in a 10 day period) Profits are withdrawn without any delay and Coinbase waives all fees for 1st level investments.
Hurry up! This is a limited, one-time opportunity.
Kind regards, The Coinbase Invest Fund Team
Many Users Affected
Several Coinbase users reported the suspicious e-mail to the Bitcoin subreddit, noting that it was signed by Coinbase servers. Coinbase later confirmed that their SendGrid account had been compromised. SendGrid is a larger version of MailChimp, which manages e-mail relations for organizations.
The Bitcoin address varied from customer to customer, making it seem that the attack was spear-phishing attack was well-planned and thoroughly executed. Coinbase told 1the New York Times1 that no Bitcoin were stolen, but that much would seem obvious. It’s not as if Coinbase’s servers were hacked. The question is how many customers fell for the scam, and whether Coinbase will take responsibility and compensate them for the lost coins. After all, customers had legitimate to believe these e-mails were real – they bored the DKIM signatures of CoinBase, the same ones used to sign other e-mails sent to them in the past.
SendGrid’s Security Measures Part of the Problem
Last year, ChunkHost had a similar compromise on its mailing list when a hacker was able to socially engineer a password change of its account with SendGrid. “The oldest trick in the book,” going back to Kevin Mitnick days, it would seem, was still able to break SendGrid’s security as of 2014. ChunkHost is a Bitcoin-accepting VPN, and in that case, the attackers were specifically trying to take over the accounts of some Bitcoin websites who use ChunkHost.
From the ChunkHost blog:
A few weeks ago, we had received a transcript of a chat with Sendgrid tech support that was clearly someone trying to social engineer access to our account. Though Sendgrid didn’t fall for that attempt, we alerted them to the probing and asked them to please make sure that future social engineering attempts wouldn’t work. They replied [with a note about their security policy] and set our minds at ease. […] However, it turns out that the policy was ignored this weekend, and someone managed to convince Sendgrid over the phone to change the email address on the account. We got an email from them, but by that point it was already too late. The hacker had logged into Sendgrid and taken control. […] Sendgrid has a feature that allows you to BCC every outgoing message to a separate email address. Once they activated that feature, they initiated password resets on the two accounts they were after, both of which are Bitcoin-related. […] The password reset email was indeed delivered to our customer, but also BCC’d to the attacker. With the password reset link, they could change the password and access our customers’ accounts.
Luckily, the attack was unsuccessful, as ChunkHost caught it while in progress. But here again, SendGrid’s loose security practices were to blame.
It seems that paid third-parties can sometimes be the fatal flaw in security models, and companies like Coinbase and ChunkHost might be better off doing these services in-house.
Images from Shutterstock.