The email address of Sam Lee, co-founder of Bitcoins Reserve, was made public by accident, allowing an attacker to send him an infected message that stole company computer credentials.
Lee’s contact details, along with those of others interested in an auction of 30,000 bitcoins confiscated from the Silk Road black marketplace, were recently leaked by the U.S. Marshalls Service by mistake.
The hacker posed as a journalist requesting an interview to lure Lee into opening a bogus Google Doc. Lee believed the file contained interview questions.
By clicking on a link to the document, Lee unwittingly unleashed a malicious program that grabbed access to his email account and other passwords.
The attacker pried into company emails through that one opening
“They couldn’t gain direct access to Bitcoins Reserve’s bitcoins, Lee says, because it’s handled by a security expert ‘and they’re all locked down,’” StartupSmart reports. “Instead they sent an email from Lee’s email address, purporting to be him, to the company’s chief technology officer, requesting that 100 bitcoins be sent to a specific bitcoin address.”
The CTO requested to speak over the phone with the individual claiming to be Lee to confirm it was indeed him.
The attacker consented, but said the call would have to be later that afternoon since he was busy.
In an unfortunate coincidence, Lee actually was busy on the morning of the attack, and unable to answer his mobile, which made the attacker’s claims more credible.
The CTO called other fund executives who authorized the transaction, under the mistaken impression they were fulfilling an internal client withdrawal request.
“Is it the U.S. Marshals’ fault that the attack occurred? Absolutely! Is it their fault that we lost some Bitcoins? No,” Lee tells StartupSmart. “I’m glad it’s happened sooner rather than later, as it’s made us aware of our vulnerabilities.”