01:05 PM

Bitcoin Heists Cause More Trouble

Attackers continue to pummel bitcoin "banks," exchanges, and crypto-currency users themselves via malware that steals virtual wallets.

deducted 12.3% from every user's bitcoin balance, although he promised to refund that by raising the exchange fee, as well as via donations.

That theft was in fact the second crypto-currency heist to hit Poloniex, after an anonymous attacker -- using the handle "Guy Fawkes" -- last month boosted 35,000 units of Counterparty currency (XCP). That relatively new crypto-currency is billed as being a "distributed financial system built on top of the Bitcoin blockchain" and was created to facilitate the use of financial instruments, such as floating company stocks, creating derivatives, and hedging trades.

The attacker converted the XCP into 150 bitcoins, then withdrew 115 of them, which as of Wednesday was worth over $70,000.

But in an odd twist, the attacker -- who claimed to work as a cleaner in a Brazilian hostel, though he dreamed of becoming a security expert -- later returned all of the stolen bitcoins, and detailed how he'd stolen the XCP in the first place. He cited not a flaw at Poloniex, but rather in the Counterparty software used by the exchange, which has since been patched. In exchange for the safe return of the bitcoins, the owner of Poloniex agreed to not press charges.

Pony botnet steals crypto-currency wallets
Beyond those exploits of Bitcoin exchanges and banks, hackers have also continued to directly attack people who buy, sell, and store crypto-currencies. Between September 2013 and mid-January 2014, for example, attackers used an instance of the Pony botnet to steal 85 virtual wallets, which were then used to trade more than $200,000 in crypto-currency, including 355 bitcoins, 280 litecoins, 33 primecoins, and 46 feathercoins.

"The source code for Pony leaked last year, which means that any cyber gang that gets access to that code can take it and make any modifications that it wants," Ziv Mador, director of security research at Trustwave SpiderLabs, which discovered the botnet, said in a phone interview. That firm was also behind the discovery of another Pony botnet, which was recently used to steal 2 million credentials, primarily for Facebook, Google, Yahoo, Twitter, and LinkedIn, but for a range of other sites too, including payment processor ADP.

In the latest case, however, attackers used a Pony botnet to steal 700,000 credentials, including website and email logins, as well as FTP secure shell and remote desktop credentials. But the attackers also modified their version of the Pony botnet to target crypto-currency virtual wallets, which are typically generated by Bitcoin software or other virtual currency tools, and stored as "wallet.dat" files. While most of those tools include an option to encrypt the wallet.dat file -- typically, it's not active by default --Mador said the owners of the 85 stolen wallets failed to encrypt them.

Crypto-currency transactions lack fraud controls
"Once a legitimate wallet is stolen, and if it wasn't encrypted, both the legitimate owner and the attacker can generate transactions," Mador said. Since crypto-currency transactions are anonymous -- they only carry a long number, which is their public key -- researchers can't tell who made the trades using the 85 wallets. "There's no way for us to determine whether the money was stolen, or if they were legitimate transactions," he added.

Attackers target bitcoins and other virtual currencies because of their value, as well as the degree of anonymity they afford. But another way in which they're "ideal for criminals," Mador said, is because once a transaction is made, it can't be reversed. For example, even if the owner of a virtual wallet realized he'd been hacked, so long as the attacker was able to cash out the wallet before its legitimate owner, there would be nothing the owner could do.

"A user in a commercial bank, for example, if they're the victim of a fraudulent transaction, most likely the bank will pay them back or reimburse them for the loss," said Mador. "That's not the case for virtual currencies. If the site doesn't stand up to reimburse the user, then the money is lost."

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/6/2014 | 4:27:47 AM
Re: Rotten in Denmark
I think Bitcoin's troubles come from within. The developer/chief behind Mt. Gox, for example, didn't code clean-enough code to prevent very, very patient attackers from finding a way to exploit the exchange. Likewise, Internet-connected virtual wallets are a sitting duck.

There are now more than 30 cryptocurrencies available. If Bitcoin dies, many more can take its place. I'd say this is less a fatwa against cryptocurrencies, and more of a Darwinian thing. Which, when you're dealing with developing stable monetary systems, is exactly how it should be.
User Rank: Ninja
3/5/2014 | 4:21:58 PM
Rotten in Denmark
I can't help but think that the utter annihilation of cryptocurrency is a concerted effort by the central banking cartel to destroy the threat Bitcoin et al. clearly poses to the status quo.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.