Criminal Web-Injects Can Steal Cryptocurrency

Uploaded on 2018-04-11 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Financial

Criminals have deployed a variety of tactics in recent months to try and profit from the cryptocurrency boom. One of them is the use of Web injects to intercept and modify traffic between user browsers and cryptocurrency sites in order to steal coins from victims and transfer it to accounts held by criminals.

Third-party risk management firm SecurityScorecard says it has seen recent evidence of threat actors using Web injects to target crypto-currency exchange Coinbase and Bitcoin wallet Blockchain.info.

Tens of thousands of bots can run the Web injects to steal crypto-currency, making them a potent threat for investors and exchanges, according to SecurityScorecard.

A Web inject is basically code for injecting malicious content into a Web page before the page is rendered on a user's browser. This work by intercepting and modifying traffic between a Web server and user browser in such a manner that the victim typically does not notice anything amiss.

Web injects can be used to add or delete content on the Web pages that a victim sees. For instance, a Web inject can be used to add a field in the login screen for capturing the PIN a user might use to access his or her bank account, or it can be used to delete warnings that a user might normally see when viewing a particular Web page.

Web injects typically have been used to steal credentials for accessing bank accounts, but recently have begun to play a role in crypto-currency heists as well.

Bot masters can readily buy the Web injects for Coinbase and Blockchain.info and distribute them to infected computers in a botnet, says Doina Cosovan, malware researcher at SecurityScorecard.

The malware installed on those infected computers receive the Web injects and inject them in the Coinbase and Blockchain.info websites if a user happens to visit either site.

These Web injects are provided as a service, so different malware families can use them. Cosovan says. "We noticed Zeus and Ramnit in particular, but these are simply examples we observed.

Any other bot master controlling bots infected with a malware family which has capabilities to inject code in websites can buy and use these Web injects on their bots," she notes.

The Web inject for Coinbase that SecurityScorecard discovered is designed to change the settings on a victim's account in order to enable digital coin transfers without requiring the user's confirmation.

When a user tries to log in to his or her Coinbase account, the injected JavaScript content first disables the "Enter" key for the email and password fields so the user has to actually click on the "Submit" button in order to submit the form, according to SecurityScorecard.

It also creates a new button that has mostly the same attributes as the original button, and a few additional malicious ones. It then adds the rogue "Submit" button on top of the original sign-in button so that the victim clicks on the malicious button rather than the original.

The ultimate goal is to capture the victim's multifactor authentication information and then using it to change account settings so further transactions can be carried out without requiring the user's approval.

"Once this change is made, the injected content can start making transactions without the need to authorise them with [two-factor authentication]," Cosovan says. "Even more, the user's access to the settings is blocked, so that he can't enable the two-factor authentication for transactions," she adds.

The Blockchain.info Web inject has somewhat similar functionality but in this case is designed to steal from a user's Bitcoin wallet and transfer the digital currency to accounts held by threat actors.

As a final touch, the Web inject presents the user with a "Service Unavailable" notice after stealing the crypto-currency, thereby delaying the victim's ability to detect the theft, SecurityScorecard said.

The use of Web injects in cryptocurrency theft is one of many tactics that cybercriminals are employing to profit from the surging interest in Bitcoin, Monero, and other cryptocurrencies worldwide. Even as defenders have adapted their tactics to deal with threats, criminals have come up with new ways around them.

Dark Reading

You Might Also Read: 

World's Biggest Ever Digital Currency Theft:

Bitcoin Exchanges Under Siege:

« The Cloud Is A Key To Cyber Defence
Cambridge Analytica, Facebook & GDPR »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DoD Cyber Crime Center (DC3)

DoD Cyber Crime Center (DC3)

DC3 is a US Department of Defense (DoD) center of excellence for Digital and Multimedia forensics.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

Lakeside Software

Lakeside Software

Lakeside Software is how organizations with large, complex IT environments can finally get visibility across their entire digital estates and see how to do more with less.

Stealthbits Technologies

Stealthbits Technologies

Stealthbits Technologies is a cybersecurity software company focused on protecting an organization's sensitive data and the credentials attackers use to steal that data.

Trusted Knight

Trusted Knight

Trusted Knight is a leading provider of security software solutions focused on defeating newly developed malware and crimeware trojans.

RISE

RISE

RISE is an independent, State-owned research institute, which offers unique expertise and over 100 testbeds and demonstration environments for future-proof technologies, products and services.

David Hayes-Export Controls

David Hayes-Export Controls

David Hayes-Export Controls provides assistance to companies affected by export controls or who are considering entering the market but are unsure of the commercial and regulatory implications.

Kentik

Kentik

Kentik - one platform for Network Visibility, Performance, and Security.

Smoothstack

Smoothstack

Smoothstack is a technology talent incubator whose immersive training program kick starts IT careers and delivers a fresh source of IT talent.

Polestar Industrial IT

Polestar Industrial IT

Polestar work on both sides of the IT & OT divide. Network, Data & Asset Security is our priority. Polestar installations are robust and resilient and comply with the appropriate security.

Deutsche Gesellschaft für Cybersicherheit (DGC)

Deutsche Gesellschaft für Cybersicherheit (DGC)

As a leading provider of cyber security, DGC supports companies in taking advantage of the opportunities offered by the digital transformation – and in minimizing the associated risks.

Vertek

Vertek

Vertek is a leading provider of operations consulting, end-to-end business process outsourcing, business intelligence, software applications and managed cybersecurity solutions.

Xeol

Xeol

Software free of vulnerabilities, built and distributed by trusted entities. Our mission is to help customers secure their software from code to deploy.

Codenotary

Codenotary

Codenotary provide a comprehensive suite of verification and enforcement services to guarantee the integrity of your software throughout its entire lifecycle.

OmniIndex

OmniIndex

OmniIndex PostgresBC is the only commercial solution allowing you to keep your most sensitive and critical data encrypted while analyzing it. Structured and unstructured.

ThreatMate

ThreatMate

ThreatMate empowers businesses with comprehensive tools to detect, protect, and remediate against cyber threats.