Cold wallet is not safe anymore. What can we do now?

A recent phishing attack on Trezor wallet after Mailchimp breach

On April 3, 2022, users of Trezor, a hardware cryptocurrency wallet, were sent sophisticated phishing emails to install malicious software on local devices with intention to remove crypto funds from user wallets. User email data were leaked to bad actors from a previous breach on March 26, 2022 at Mailchimp, a third-party marketing communication provider where Trezor has been a client. This two-step phishing attack aiming at cryptocurrency and other finance companies is mainly based on precise social engineering where traditional cloud security solutions cannot effectively prevent. The incident, however, presents a good use case for Puffin’s secure browsers and isolation technology.

The Phishing Attack

Mailchimp is one of the largest email marketing firms in the U.S. with more than 300 billion emails sent out to its customers in 2020[1]. Its business model requires the company to store sensitive customer data and allow employee access to those data. Bad actors first gained access clearance of 4 Mailchimp employees, through which they were able to export information on 319 Mailchimp clients. The breached data includes an unknown amount of customer IP addresses, emails, and locations from 102 out of the 319 Mailchimp clients.

The attackers then identified customers of companies in the cryptocurrency and finance industry to send out sophisticated phishing emails (see Exhibit 1), such as Trezor, claiming a new version of desktop application is available for download or a data breach has happened. When a customer downloaded the malicious application from the phishing email, attackers were able to gain IAM access to the user wallet and thereafter remove crypto assets.

[1] Annual report <https://mailchimp.com/annual-report/mailchimp-hq/>

Figure 1. MailChimp and Trezor Attack Summary

CloudMosa and Puffin Secure Browser

Founded in 2009 by Dr. Shioupyn Shen, an X-Googler and a visionary pioneer in the tech industry specializing in moonshot projects, CloudMosa began its journey with a desire to create the ultimate browser, one that delivers unparalleled security, speed, and efficiency through cloud isolation technology. One of CloudMosa’s key offerings is Puffin Secure Browser (“the Browser”), which runs client-facing web browser sessions on CloudMosa’s proprietary Puffin Cloud Avatar Technology. Puffin Secure Browser has gathered over 150 million downloads to date.

Unlike traditional web browsers which typically serve as a standard web client, Puffin users will only interact with cloud-based Puffin Cloud Avatar which serves as both a client to the public web and a server to the individual users. When Puffin Browser users engage in HTTP requests and responses, Avatar isolates unwanted behaviors in between: Avatar renders HTML web contents into PostScript vector graphics. Since viruses in HTML can’t survive in PostScript, Puffin Secure Browser achieves the holy grail of Internet security — the ability to block Zero-Day viruses through isolation technology (Exhibit 2). Puffin Secure Browser is the most high-performance browser ever, thanks to Puffin’s cloud data centers with massive computing power and Internet speed. Web contents can be rendered on Puffin servers in split-second and displayed on Puffin clients with huge data savings.

Figure 2. How Puffin Secure Browser works

Puffin Browser in Preventing Attacks

In the case of recent Mailchimp and Trezor attacks, Puffin Secure Browser presents itself as an alternative solution in defending social engineering and sophisticated phishing attempts where traditional security solutions have limitations. Mailchimp was exposed in this attack because bad actors were able to infiltrate the company’s database remotely with stolen employee IAMs, which can be mitigated if internal access to the database is properly isolated by Puffin Cloud Avatar. Even in a case where attackers gain employee identification, the malicious attempts to send viruses via HTTP requests to the backend will be stopped at Puffin Server.

Companies with similar needs as Mailchimp can also combine Puffin’s isolation technology with defaulting Puffin Secure Browser for all internal traffic usage where unwanted softwares cannot execute. A successful example is that Puffin currently secures a leading crypto exchange in Taiwan with 100% Isolation from web attacks. The exchange deploys Puffin on top of its existing Fortinet next generation firewall and enforces a secured web browsing zone for its customer support team, which also ensures compliance to user privacy protection.

The emerging cryptocurrency industry is another space where Puffin’s isolation technology thrives. Although Trezor cannot require all of its retail customers to use a cloud-based browser, it can still enhance its crypto wallet security by introducing Puffin Isolation Layer to its internal facing data-protected traffic. Crypto wallet providers can apply Puffin’s enterprise solution to build an isolation zone in front of its wallet servers to ensure no ill-intended applications can reach its backend. Puffin Secure Browser should be recommended to security-driven users for any hot wallet access where web contents are always subject to potential attacks.

Exhibit 1 Sample Phishing Emails to Trezor Customers

Exhibit 2 Puffin Cloud Isolation Technology