Attacks/Breaches
3/5/2014
01:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Bitcoin Heists Cause More Trouble

Attackers continue to pummel bitcoin "banks," exchanges, and crypto-currency users themselves via malware that steals virtual wallets.

deducted 12.3% from every user's bitcoin balance, although he promised to refund that by raising the exchange fee, as well as via donations.

That theft was in fact the second crypto-currency heist to hit Poloniex, after an anonymous attacker -- using the handle "Guy Fawkes" -- last month boosted 35,000 units of Counterparty currency (XCP). That relatively new crypto-currency is billed as being a "distributed financial system built on top of the Bitcoin blockchain" and was created to facilitate the use of financial instruments, such as floating company stocks, creating derivatives, and hedging trades.

The attacker converted the XCP into 150 bitcoins, then withdrew 115 of them, which as of Wednesday was worth over $70,000.

But in an odd twist, the attacker -- who claimed to work as a cleaner in a Brazilian hostel, though he dreamed of becoming a security expert -- later returned all of the stolen bitcoins, and detailed how he'd stolen the XCP in the first place. He cited not a flaw at Poloniex, but rather in the Counterparty software used by the exchange, which has since been patched. In exchange for the safe return of the bitcoins, the owner of Poloniex agreed to not press charges.

Pony botnet steals crypto-currency wallets
Beyond those exploits of Bitcoin exchanges and banks, hackers have also continued to directly attack people who buy, sell, and store crypto-currencies. Between September 2013 and mid-January 2014, for example, attackers used an instance of the Pony botnet to steal 85 virtual wallets, which were then used to trade more than $200,000 in crypto-currency, including 355 bitcoins, 280 litecoins, 33 primecoins, and 46 feathercoins.

"The source code for Pony leaked last year, which means that any cyber gang that gets access to that code can take it and make any modifications that it wants," Ziv Mador, director of security research at Trustwave SpiderLabs, which discovered the botnet, said in a phone interview. That firm was also behind the discovery of another Pony botnet, which was recently used to steal 2 million credentials, primarily for Facebook, Google, Yahoo, Twitter, and LinkedIn, but for a range of other sites too, including payment processor ADP.

In the latest case, however, attackers used a Pony botnet to steal 700,000 credentials, including website and email logins, as well as FTP secure shell and remote desktop credentials. But the attackers also modified their version of the Pony botnet to target crypto-currency virtual wallets, which are typically generated by Bitcoin software or other virtual currency tools, and stored as "wallet.dat" files. While most of those tools include an option to encrypt the wallet.dat file -- typically, it's not active by default --Mador said the owners of the 85 stolen wallets failed to encrypt them.

Crypto-currency transactions lack fraud controls
"Once a legitimate wallet is stolen, and if it wasn't encrypted, both the legitimate owner and the attacker can generate transactions," Mador said. Since crypto-currency transactions are anonymous -- they only carry a long number, which is their public key -- researchers can't tell who made the trades using the 85 wallets. "There's no way for us to determine whether the money was stolen, or if they were legitimate transactions," he added.

Attackers target bitcoins and other virtual currencies because of their value, as well as the degree of anonymity they afford. But another way in which they're "ideal for criminals," Mador said, is because once a transaction is made, it can't be reversed. For example, even if the owner of a virtual wallet realized he'd been hacked, so long as the attacker was able to cash out the wallet before its legitimate owner, there would be nothing the owner could do.

"A user in a commercial bank, for example, if they're the victim of a fraudulent transaction, most likely the bank will pay them back or reimburse them for the loss," said Mador. "That's not the case for virtual currencies. If the site doesn't stand up to reimburse the user, then the money is lost."

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/6/2014 | 4:27:47 AM
Re: Rotten in Denmark
I think Bitcoin's troubles come from within. The developer/chief behind Mt. Gox, for example, didn't code clean-enough code to prevent very, very patient attackers from finding a way to exploit the exchange. Likewise, Internet-connected virtual wallets are a sitting duck.

There are now more than 30 cryptocurrencies available. If Bitcoin dies, many more can take its place. I'd say this is less a fatwa against cryptocurrencies, and more of a Darwinian thing. Which, when you're dealing with developing stable monetary systems, is exactly how it should be.
asksqn
50%
50%
asksqn,
User Rank: Apprentice
3/5/2014 | 4:21:58 PM
Rotten in Denmark
I can't help but think that the utter annihilation of cryptocurrency is a concerted effort by the central banking cartel to destroy the threat Bitcoin et al. clearly poses to the status quo.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.