Attacks/Breaches
3/5/2014
01:05 PM
50%
50%

Bitcoin Heists Cause More Trouble

Attackers continue to pummel bitcoin "banks," exchanges, and crypto-currency users themselves via malware that steals virtual wallets.

deducted 12.3% from every user's bitcoin balance, although he promised to refund that by raising the exchange fee, as well as via donations.

That theft was in fact the second crypto-currency heist to hit Poloniex, after an anonymous attacker -- using the handle "Guy Fawkes" -- last month boosted 35,000 units of Counterparty currency (XCP). That relatively new crypto-currency is billed as being a "distributed financial system built on top of the Bitcoin blockchain" and was created to facilitate the use of financial instruments, such as floating company stocks, creating derivatives, and hedging trades.

The attacker converted the XCP into 150 bitcoins, then withdrew 115 of them, which as of Wednesday was worth over $70,000.

But in an odd twist, the attacker -- who claimed to work as a cleaner in a Brazilian hostel, though he dreamed of becoming a security expert -- later returned all of the stolen bitcoins, and detailed how he'd stolen the XCP in the first place. He cited not a flaw at Poloniex, but rather in the Counterparty software used by the exchange, which has since been patched. In exchange for the safe return of the bitcoins, the owner of Poloniex agreed to not press charges.

Pony botnet steals crypto-currency wallets
Beyond those exploits of Bitcoin exchanges and banks, hackers have also continued to directly attack people who buy, sell, and store crypto-currencies. Between September 2013 and mid-January 2014, for example, attackers used an instance of the Pony botnet to steal 85 virtual wallets, which were then used to trade more than $200,000 in crypto-currency, including 355 bitcoins, 280 litecoins, 33 primecoins, and 46 feathercoins.

"The source code for Pony leaked last year, which means that any cyber gang that gets access to that code can take it and make any modifications that it wants," Ziv Mador, director of security research at Trustwave SpiderLabs, which discovered the botnet, said in a phone interview. That firm was also behind the discovery of another Pony botnet, which was recently used to steal 2 million credentials, primarily for Facebook, Google, Yahoo, Twitter, and LinkedIn, but for a range of other sites too, including payment processor ADP.

In the latest case, however, attackers used a Pony botnet to steal 700,000 credentials, including website and email logins, as well as FTP secure shell and remote desktop credentials. But the attackers also modified their version of the Pony botnet to target crypto-currency virtual wallets, which are typically generated by Bitcoin software or other virtual currency tools, and stored as "wallet.dat" files. While most of those tools include an option to encrypt the wallet.dat file -- typically, it's not active by default --Mador said the owners of the 85 stolen wallets failed to encrypt them.

Crypto-currency transactions lack fraud controls
"Once a legitimate wallet is stolen, and if it wasn't encrypted, both the legitimate owner and the attacker can generate transactions," Mador said. Since crypto-currency transactions are anonymous -- they only carry a long number, which is their public key -- researchers can't tell who made the trades using the 85 wallets. "There's no way for us to determine whether the money was stolen, or if they were legitimate transactions," he added.

Attackers target bitcoins and other virtual currencies because of their value, as well as the degree of anonymity they afford. But another way in which they're "ideal for criminals," Mador said, is because once a transaction is made, it can't be reversed. For example, even if the owner of a virtual wallet realized he'd been hacked, so long as the attacker was able to cash out the wallet before its legitimate owner, there would be nothing the owner could do.

"A user in a commercial bank, for example, if they're the victim of a fraudulent transaction, most likely the bank will pay them back or reimburse them for the loss," said Mador. "That's not the case for virtual currencies. If the site doesn't stand up to reimburse the user, then the money is lost."

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/6/2014 | 4:27:47 AM
Re: Rotten in Denmark
I think Bitcoin's troubles come from within. The developer/chief behind Mt. Gox, for example, didn't code clean-enough code to prevent very, very patient attackers from finding a way to exploit the exchange. Likewise, Internet-connected virtual wallets are a sitting duck.

There are now more than 30 cryptocurrencies available. If Bitcoin dies, many more can take its place. I'd say this is less a fatwa against cryptocurrencies, and more of a Darwinian thing. Which, when you're dealing with developing stable monetary systems, is exactly how it should be.
asksqn
50%
50%
asksqn,
User Rank: Ninja
3/5/2014 | 4:21:58 PM
Rotten in Denmark
I can't help but think that the utter annihilation of cryptocurrency is a concerted effort by the central banking cartel to destroy the threat Bitcoin et al. clearly poses to the status quo.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.