searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
March 22, 2018
Share

Malware leverages web injects to empty users’ cryptocurrency accounts

Criminals trying to get their hands on victims’ cryptocurrency stashes are trying out various approaches. The latest one includes equipping malware with Man-in-the-Browser capabilities so they can hijack online accounts and perform fraudulent transactions on the fly.

Injecting malicious scripts into target sites

Since the beginning of the year, SecurityScorecard researchers have observed two botnets – powered by the Zeus Panda and Ramnit malware families – that are after Coinbase.com accounts and Blockchain.info wallets.

The malware, among other things, is capable of detecting when the user visits those two websites and to silently inject an obfuscated script into them, which changes the content of the landing page.

When the target is Coinbase, the script makes it so that the Enter key for the email and password input fields won’t work, and creates a new button and superimposes it over the “Sign In” button. Thus, when the victims enter the login credentials and presses the latter, they believe they are logging in.

They are actually not. The malware will make it seem that there is a problem with the sign in process, and will ask the user to enter their second authentication factor:

cryptocurrency theft web injects

At the same time, the stolen information is used by the attacker to access the user’s account and modify security settings for future transactions.

“In most situations, attackers likely need to be actively involved and use the compromised data quickly,” researchers Catalin Valeriu and Doina Cosovan explained to Help Net Security.

“When WebInjects targets banking information for wire fraud, attackers also need to be actively engaged for the same reason – mostly the need to login before the time expiration on two factor codes. Older versions of Zeus would make use of Jabber instant messenger to notify botnet administrators of compromised credentials, and it is likely modern variants use similar tactics.”

Interestingly enough, after the security settings are changed, the attacker also makes sure the user can’t change the settings back by blocking the access to the settings page and showing an error message.

“Once the multi-factor authentication is disabled and the user can’t access the settings page anymore, the attacker can proceed to making transfers,” the researcher noted.

For the moment, though, the variants have not perfected the automation behind the transfer of stolen funds. Apparently, the crooks are currently satisfied with just compromising the account for future (mis)use. Still, the researchers believe it’s a matter of time until bugs are worked out and automation is achieved at some level.

A similar process is used to compromise Blockchain.info wallets. The victims are also faced with fake sign-in problems:

cryptocurrency theft web injects

Only in this case, as the victims waits for the problems to resolve themselves, the scripts quickly initiates a transfer page and populates it with the destination address, the currency type, and amount to be transferred.

Once again, users are asked for their second authentication factor. When they enter it and click on the “Confirm” button, the script extracts the value of the PIN password from the form, populates the PIN password field from the transfer form, and thus authorizes the transfer.

While this is happening and for a while after, the script shows the victim a note saying that the service is currently unavailable, so that they won’t realize that their wallet is being emptied.

What can you do to protect yourself?

“As cryptocurrency ecosystem and economy grows, the malware ecosystem and economy is also likely to grow along with it. While these variants were only targeting Coinbase.co and Blockchain.info, there are likely WebInjects variants that target other exchanges and services – both large and small,” the researchers pointed out.

“The WebInjects functionality is attractive to attackers because it allows them to quickly adapt the code to target new services and update code to maintain access to existing services.”

Users are advised to be on the lookout for things like disabled Enter key functionality, unaccessible Settings page, unexpected requests to authenticate using multi-factor authentication or “Service unavailable” alerts.

“If you suspect your account has been compromised, it is important to immediately change your password from a DIFFERENT computer, as it’s unlikely to also be compromised with the same malware,” Valeriu and Cosovan advise.

“The unfortunate part about advanced malware is the level of persistence that is obtained once a system is infected. Mitigating the infection can be time consuming – a complete re-imaging of the operating system and BIOS is recommended on the infected device.”

They also noted that, when this type of advanced bank fraud malware began targeting online banking users a few years ago it was generally advised that users use a “Live CD” for online banking.

“This advice is still solid, and applies to the world of cryptocurrencies as well,” they concluded.




More about
  • 2FA
  • account hijacking
  • cryptocurrency
  • cryptocurrency exchange
  • malware
  • MITB
  • SecurityScorecard
Share this

Featured news

  • iPaaS: The latest enterprise cybersecurity risk?
  • Conti effectively created an extortion-oriented IT company, says Group-IB
  • Inside a large-scale phishing campaign targeting millions of Facebook users
Webinar: What’s trending in email security?

What's new

New infosec products of the week: June 24, 2022

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns

How companies are prioritizing infosec and compliance

iPaaS: The latest enterprise cybersecurity risk?

Don't miss

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns

iPaaS: The latest enterprise cybersecurity risk?

Conti effectively created an extortion-oriented IT company, says Group-IB

Automotive hose manufacturer hit by ransomware, shuts down production control system

Inside a large-scale phishing campaign targeting millions of Facebook users

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • How to keep your NFTs safe from scammers
  • Is your organization ready for Internet Explorer retirement?
  • Attackers aren’t slowing down, here’s what researchers are seeing
  • Why you should worry about medical ID theft

(IN)SECURE Magazine ISSUE 71.5 (June 2022)

Several of the most pressing topics discussed during this year’s Conference included issues surrounding privacy and surveillance, the positive and negative impacts of machine learning and artificial intelligence, the nuances of risk and policy, and more.

Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise