01:05 PM
Connect Directly

Bitcoin Heists Cause More Trouble

Attackers continue to pummel bitcoin "banks," exchanges, and crypto-currency users themselves via malware that steals virtual wallets.

deducted 12.3% from every user's bitcoin balance, although he promised to refund that by raising the exchange fee, as well as via donations.

That theft was in fact the second crypto-currency heist to hit Poloniex, after an anonymous attacker -- using the handle "Guy Fawkes" -- last month boosted 35,000 units of Counterparty currency (XCP). That relatively new crypto-currency is billed as being a "distributed financial system built on top of the Bitcoin blockchain" and was created to facilitate the use of financial instruments, such as floating company stocks, creating derivatives, and hedging trades.

The attacker converted the XCP into 150 bitcoins, then withdrew 115 of them, which as of Wednesday was worth over $70,000.

But in an odd twist, the attacker -- who claimed to work as a cleaner in a Brazilian hostel, though he dreamed of becoming a security expert -- later returned all of the stolen bitcoins, and detailed how he'd stolen the XCP in the first place. He cited not a flaw at Poloniex, but rather in the Counterparty software used by the exchange, which has since been patched. In exchange for the safe return of the bitcoins, the owner of Poloniex agreed to not press charges.

Pony botnet steals crypto-currency wallets
Beyond those exploits of Bitcoin exchanges and banks, hackers have also continued to directly attack people who buy, sell, and store crypto-currencies. Between September 2013 and mid-January 2014, for example, attackers used an instance of the Pony botnet to steal 85 virtual wallets, which were then used to trade more than $200,000 in crypto-currency, including 355 bitcoins, 280 litecoins, 33 primecoins, and 46 feathercoins.

"The source code for Pony leaked last year, which means that any cyber gang that gets access to that code can take it and make any modifications that it wants," Ziv Mador, director of security research at Trustwave SpiderLabs, which discovered the botnet, said in a phone interview. That firm was also behind the discovery of another Pony botnet, which was recently used to steal 2 million credentials, primarily for Facebook, Google, Yahoo, Twitter, and LinkedIn, but for a range of other sites too, including payment processor ADP.

In the latest case, however, attackers used a Pony botnet to steal 700,000 credentials, including website and email logins, as well as FTP secure shell and remote desktop credentials. But the attackers also modified their version of the Pony botnet to target crypto-currency virtual wallets, which are typically generated by Bitcoin software or other virtual currency tools, and stored as "wallet.dat" files. While most of those tools include an option to encrypt the wallet.dat file -- typically, it's not active by default --Mador said the owners of the 85 stolen wallets failed to encrypt them.

Crypto-currency transactions lack fraud controls
"Once a legitimate wallet is stolen, and if it wasn't encrypted, both the legitimate owner and the attacker can generate transactions," Mador said. Since crypto-currency transactions are anonymous -- they only carry a long number, which is their public key -- researchers can't tell who made the trades using the 85 wallets. "There's no way for us to determine whether the money was stolen, or if they were legitimate transactions," he added.

Attackers target bitcoins and other virtual currencies because of their value, as well as the degree of anonymity they afford. But another way in which they're "ideal for criminals," Mador said, is because once a transaction is made, it can't be reversed. For example, even if the owner of a virtual wallet realized he'd been hacked, so long as the attacker was able to cash out the wallet before its legitimate owner, there would be nothing the owner could do.

"A user in a commercial bank, for example, if they're the victim of a fraudulent transaction, most likely the bank will pay them back or reimburse them for the loss," said Mador. "That's not the case for virtual currencies. If the site doesn't stand up to reimburse the user, then the money is lost."

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/6/2014 | 4:27:47 AM
Re: Rotten in Denmark
I think Bitcoin's troubles come from within. The developer/chief behind Mt. Gox, for example, didn't code clean-enough code to prevent very, very patient attackers from finding a way to exploit the exchange. Likewise, Internet-connected virtual wallets are a sitting duck.

There are now more than 30 cryptocurrencies available. If Bitcoin dies, many more can take its place. I'd say this is less a fatwa against cryptocurrencies, and more of a Darwinian thing. Which, when you're dealing with developing stable monetary systems, is exactly how it should be.
User Rank: Apprentice
3/5/2014 | 4:21:58 PM
Rotten in Denmark
I can't help but think that the utter annihilation of cryptocurrency is a concerted effort by the central banking cartel to destroy the threat Bitcoin et al. clearly poses to the status quo.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.