Hackers placed in StatCounter malware to steal Bitcoin income from Gate.io account holders, according to Eset investigator Matthieu Faou, who discovered the infringement.
The malicious code was added to the tracking script on the StatCounter site last weekend, it said Tuesday.
The malicious code hijacks all bitcoin transactions made via the web interface of the Gate.io cryptocurrency exchange. It is not activated unless the link on the page contains the path “myaccount / remove / BTC”.
Malicious code can secretly replace any bitcoin address that users enter on the page with an address managed by the attacker. Security experts believe that this violation is crucial because many websites upload the StatCounter tracking script.
Limited purpose, broad potential
The attack is also important because it shows greater sophistication among hackers about the tools and methods used to steal cryptocurrency, George Waller, CEO of BlockSafe Technologies said.
Although this form of hijacking is not a new phenomenon, the way the code was inserted was.
Market growth of cryptocurrency and the emerging asset class has led hackers to devise their investments and attempts to steal stronger methods. The malware used is nothing new, but the delivery method is.
“Since early 2017, criptomonedas stock exchanges suffered more than (US) $ 882 million in stolen by targeted attacks on at least 14 trading funds. This trick adds one more to the list,” Waller said theinfovalley.
In this case, the attackers chose to target users in Gate.io, a major exchange of criptomonedas, Faoul Eset said. When a user sent a recording of bitcoins, the attacker replaced the destination address in real time with an address under his control.
Attackers can attack Gate.io by engaging a third party, a tactic known as “supply chain attack”. They could have reached many more websites, Faoul said.
“We identified different government websites using StatCounter. Therefore, this means that the attackers have targeted many interesting people,” he said.
Gate.io customers who initiated Bitcoin transactions during the attack are more exposed to this violation. The malware hijacked legitimate permission from the user of the site to change the destination address bitcoin transfers, according to Paige Boshell, member of the Privacy Counsel transaction manager.
As a general rule, webmasters limit to a minimum the number of third-party scripts, such as StatCounter, since each is a possible attack vector. For exchanges, additional confirmations of withdrawals have been useful in this case, since the exploit involved the exchange of user Bitcoin address by thieves.
“Gate.io has removed StatCounter, so this specific attack must be closed, Boshell told theinfovalley.
The extent of the loss and exposure to fraud resulting from this violation is not yet quantifiable. The attackers used different addresses for transfer bitcoins added to Boshell, and notes that the attack could have been carried out to influence the use of StatCounter everywhere.
Protection Strategies Not Foolproof
StatCounter needs to improve its own control code and constantly check that only authorized code is running on your network, suggested Joshua Marpet, COO of Red Lion. However, most users will not realize that StatCounter has committed an error.
“Blame Gate.io, and everything that could happen: business loss, bank management, and even close their doors,” he told theinfovalley.
Checking the code is not always a feasible prevention plan. In this case, the malware code resembled the Gate.io user manuals, Privacy Counsel noted Boshell.
“It was not easy to detect Gate.io fraud tools used to protect and detect malware,” he said.
Network administrators are not really involved in this type of offense, as the malicious code is processed on the workstation / laptop instead of on the web server, according to Brian Chappell, senior director of enterprise architecture and solutions from BeyondTrust. It also provides no mechanism for gaining control of the system.
“In essence, many stars tuned to make this a significant risk in this regard,” he told TechNewsWorld. “Effective management of vulnerabilities and privileges naturally limit the consequences of a burglary”.
That is an address that administrators should look at. There is nothing they can do to control the initial attack, assuming that the selected websites are accepted sites within your organization, Chappell said.
Even a well-secured website can be violated by third parties committing a script, Eset Faou said.
One strategy is to search for scripts that replace one Bitcoin address with another, said Clay Collins, CEO of Nomics.
Using analytical services that have a good reputation for safety is part of it, he told TechNewsWorld.
“People with ad blockers / scripts were not vulnerable,” Collins said.
More good practices
Traffic analysis, scanning websites and code auditing are some of the tools that can be discovered that something was abnormal transactions and traffic, Fausto Oliveira, said chief security architect OKselect. However, it would have been ideal to prevent the attack in the first place.
“If Gate.io customers needed an application that required strong authentication from band above a certain amount, or when a transaction was addressed to an unknown recipient, then customers would have had the opportunity to block the transaction and win an idea that there something bad was going on, “Oliveira told theinfovalley.
The use of supplements blocking scripts such as NoScript and uBlock / Umatrix can bring a certain amount of personal control into the hands of the website user. Makes surfing the web more challenging, Raymond Zenkich, COO of BlockRe said.
“But you can see which code is entered on a site and turn it off if it’s not needed,” he told theinfovalley.
“Web developers should stop placing third-party scripts on confidential pages and keep their users from wanting to make advertising, metrics, etc. money,” Zenkich said.
Watch out for something from third parties
As a rule, webmasters should minimize the number of scripts from third-party co-founder Zenchain, Seth Hornby, because each has a possible attack vector.
“For exchanges, additional confirmations of withdrawals would also be beneficial in this case, because the exploit involved involved the Bitcoin exchange address reported by the thieves,” he told theinfovalley.
Even third-party outsourcing solutions can open the door for cyber criminals, said Zhang Jian, founder of FCoin.
“Many companies within the cryptocurrency space rely on external companies for different tasks and assignments. Branching out this outsourcing is a loss of accountability. This puts many companies in a difficult place, unable to find attacks of this nature for It’s too late, “he told theinfovalley.
Instead, network administrators must work to ensure internal versions of the tools and products, from start to finish, Jian suggested, that control of these security measures is in their power.