Attacks/Breaches
11/27/2013
10:35 AM
50%
50%

Bitcoin Thefts Surge, DDoS Hackers Take Millions

Cryptographic currency's massive rise in value leads to a corresponding increase in online heists by criminals seeking easy paydays.

10 IT Job Titles We Miss
10 IT Job Titles We Miss
(Click image for larger view.)

Say you've created a cryptographic currency called bitcoin that promises users relative anonymity and untraceable transactions. What could possibly go wrong? The answer, of course, is that these virtues also appeal to hackers, malware developers, and organized crime rings who wouldn't think twice about committing virtual bank robberies.

Earlier this month, for example, Bitcoin Internet Payment System (BIPS), a Denmark-based Bitcoin payment processor, suffered a denial-of-service (DDoS) attack. Unfortunately for users of the company's free online wallets for storing bitcoins, the DDoS attack was merely a smokescreen for a digital heist that quickly drained numerous wallets, netting the attackers a reported 1,295 bitcoins -- worth nearly $1 million -- and leaving wallet users with little chance that they'd ever see their money again.

"On November 15th BIPS was the target of a massive DDoS attack, which is now believed to have been the initial preparation for a subsequent attack on November 17th," Kris Henriksen, the CEO of BIPS, said via Reddit. "Regrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets."

BIPS has been conducting a digital forensic investigation and working with authorities to try to identify the perpetrators. It said that early results showed that the attack originated "from Russia and neighboring countries."

The BIPS heist followed two separate October attacks against Australia-based Inputs.io, in which attackers netted about $1.3 million in bitcoins after stealing all 4,100 bitcoins being held by the free e-wallet service.

[Criminals are taking shelter under bitcoins. See Dutch Banking Malware Gang Busted: Bitcoin's Role.]

The value of bitcoins continues to fluctuate wildly due to a bubble created by bitcoin speculators. In 2011, for example, the currency's value fell from $33 to just $1 per bitcoin before rising to more than $900 earlier this month on MtGox, the world's biggest bitcoin exchange. But that bubble burst the next day, when the value of bitcoins fell by half. As of early Wednesday, however, the currency's value had once again skyrocketed, trading at more than $980 on MtGox.

That rise in value has driven hackers to attack online wallet services that store bitcoins. "Each of these companies had been operating officially for only a few months, yet already had entrusted to them millions of dollars that are now in the hands of cybercrooks," Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said Tuesday in a blog post.

Malware writers have also taken a keen interest in bitcoins, with some -- especially Russian gangs -- modifying their crimeware tools to identify and steal any bitcoins found on infected PCs. "There are numerous malware families today that either perform Bitcoin mining or directly steal the contents of victims' Bitcoin wallets, or both," according to a blog post from Robert Lipovsky, a researcher at security firm ESET.

(Source: zcopley)
(Source: zcopley)

Other malware attacks have started closer to home. Last week, for example, the New Jersey state attorney general's office announced that it had settled a complaint it filed against Commack, N.Y.-based online gaming company E-Sports, as well company co-founder Eric Thunberg and software engineer Sean Hunczak. According to the complaint, Hunczak designed malware that infected about 14,000 computers that subscribed to the company's service, and which mined their PCs for bitcoins, which the perpetrators then sold for about $3,500. Under the terms of the state's $1 million settlement agreement, the company will pay a fine of $325,000, but the rest will be vacated, providing the company complies with a 10-year compliance program.

But not all bitcoin heists have been executed via hack attacks or malware. For example, a China-based bitcoin exchange called GBL launched in May. Almost 1,000 people used the service to deposit bitcoins worth about $4.1 million. But the exchange was revealed to be an elaborate scam after whoever launched the site shut it down on October 26 and absconded with the funds.

Given the potential spoils from a successful online heist, it's not surprising that related attacks are becoming more common. "Please be advised that attacks are not isolated to us and if you are storing larger amounts of coins with any third party you may want to find alternative storage solutions as soon as possible, preferably cold storage if you do not need immediate access to those coins," said Henriksen.

Bitcoin users have echoed that suggestion. "One note of warning: don't trust any online wallet," read a comment on a recent Guardian feature. "The two biggest ones have already been robbed. Use your own wallet on your own computer and back it up on a USB stick."

"Remember, you don't have to keep your Bitcoins online with someone else: you can store your Bitcoins yourself, encrypted and offline," said Ducklin at Sophos.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WKash
50%
50%
WKash,
User Rank: Apprentice
11/27/2013 | 1:46:56 PM
Virtual Highway Robbery
Knowing..."That rise in value has driven hackers to attack online wallet services that store bitcoins," it's hard to get excited about jumping on the virtual currency wagon trail...too many outlaws out there.

 
coalminds.com
50%
50%
coalminds.com,
User Rank: Apprentice
11/27/2013 | 2:17:31 PM
Re: Virtual Highway Robbery
"According to the complaint, Hunczak designed malware that infected about 14,000 computers that subscribed to the company's service, and which mined their PCs for bitcoins, which the perpetrators then sold for about $3,500. Under the terms of the state's $1 million settlement agreement, the company will pay a fine of $325,000, but the rest will be vacated, providing the company complies with a 10-year compliance program."

So breaking into someone's property 14,000 times just leads to a settlement? Shouldn't he be doing hard time the way he would be if he were a black person let's say... possessing a pound of marijuana?
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
11/27/2013 | 2:53:09 PM
Re: Virtual Highway Robbery
There are indeed too many outlaws out there. It isn't the bitcoin network in and of itself that is the problem, its bad people trying to steal money from ususpecting users.

Companies providing bitcoin services should not be so unsuspecting; they shold implictly undertstand the risks of getting involved in bitcoin-based businesses and understand that security should be of paramount importance. 
Tom Murphy
100%
0%
Tom Murphy,
User Rank: Apprentice
11/27/2013 | 2:54:44 PM
Re: Virtual Highway Robbery
Off-the-wall ideas are the seeds of innovation, but Bitcoin is just the kind of project that really should die an early death for many, many reasons. I'll cite three: 1) crime. (Read the article. As Bitcoin grows, crime problems will grow exponentially.) 2) Valuation. Do you really want to accept a currency that might be worth $800 today and $3 tomorrow? You might as well accept Cabbage Patch Dolls as currency.  3) Government. We (and I'm speaking for almost the entire human race here) actually want governments to control currencies instead of some enterprise. It's one of the main reasons we HAVE governments.

I say: Render unto Caesar what is Caesar's, and that includes coin of the realm.
Brian.Dean
100%
0%
Brian.Dean,
User Rank: Apprentice
11/27/2013 | 4:29:14 PM
Re: Virtual Highway Robbery
Agreed, governments or the population of the world should be controlling money. Bitcoin is not safe because its value is speculative, never mind organized crime getting to wallets, what happens if they reach the blockchain? And never mind personal computers needlessly solving algorithms to mint new money, what happens if a large Big data Cloud deployment decides to quit real business and gets into the mint business?

Some benefits are there in developing economies to rely on bitcoin, if bitcoin gains mass, bitcoin can be used to safeguard from inflation, having said that, first technology would have to be available throughout the economy.

Basically, I like the old paper form, at least that way I will be able to use it as fire fuel, or maybe we can go back to the barter system.
David F. Carr
100%
0%
David F. Carr,
User Rank: Apprentice
11/27/2013 | 3:36:38 PM
Re: Virtual Highway Robbery
This is why I'm sticking with Monopoly money as my currency of choice.
Shane M. O'Neill
100%
0%
Shane M. O'Neill,
User Rank: Apprentice
11/27/2013 | 4:43:24 PM
Re: Virtual Highway Robbery
Bitcoin's volatility and insecurity are big turn offs. I'll stick with the dollar. When, if ever, will bitcoin be ready for primetime?
Brian.Dean
75%
25%
Brian.Dean,
User Rank: Apprentice
11/27/2013 | 5:23:29 PM
Re: Virtual Highway Robbery
Bitcoin is too small, it has $5 billion of bubble wealth however, and the dollar is backed by $15.5 trillion of real wealth, not mentioning all the foreign economies that treat the dollar as gold. If bitcoin ever gets $15+ trillion of wealth under its name, I guess we could call it primetime.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Strategist
11/27/2013 | 9:49:27 PM
Re: Virtual Highway Robbery
Actually, the US dollar isn't really backed by anything other than trust and faith.  (This is why some people want to return to a gold or silver standard.)  It's earned a lot more trust and faith than Bitcoin has, but the value of the US dollar can (and, sometimes, does) easily plummet.

I remember when we Americans used to joke about the value of Canadian dollars because they were worth so much less.  Now we are eating crow.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
11/28/2013 | 5:24:54 PM
Re: Virtual Highway Robbery
Actually, yes you are right, the dollar too is only backed by a belief that everyone will accept it when a transaction needs to be made, and that the reserve bank will not over produce it. That is the case with any economy with a central bank, and gold also has the same assumptions. If more people use the dollar and it gains mass then it will be more stable.
vitorleur
50%
50%
vitorleur,
User Rank: Apprentice
11/29/2013 | 1:39:37 PM
Re: Virtual Highway Robbery
As long as the user base will grow so will grow the value of bitcoin. The number of bitcoin wallets on blockchain.info went up from 50 thousands in Jan 2013 to almost 700 thousands now and the growth is accelerating exponentially. The number of users might well grow from 700000 now to over one billion users in 10 years or even before that. At that time everyone will be accepting bitcoins as currency. Since the max number of bitcoins is limited I can only guess what price of bitcoins will be in dollars if dollar will survive by then.
Shepy
50%
50%
Shepy,
User Rank: Apprentice
11/28/2013 | 7:07:17 AM
Re: Virtual Highway Robbery
"Bitcoin's volatility and insecurity are big turn offs. I'll stick with the dollar. When, if ever, will bitcoin be ready for primetime?"

Yeah, remember when you read that article about 4 million of actual money being accidentally thrown in the skip, like some guy who did so with a bitchain wallet recently in the news...
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
11/28/2013 | 5:48:58 PM
Re: Virtual Highway Robbery
Indeed, if your Bitcoins are stolen or lost, it's a lot harder to prove they were yours -- or that you even owned them to begin with!

Some governments are entertaining converting their currencies to entirely digital systems, getting rid of physical cash, so it will be interesting to see how the two systems compare against and evolve with each other.
samicksha
50%
50%
samicksha,
User Rank: Apprentice
11/29/2013 | 4:33:01 AM
Re: Virtual Highway Robbery
Bitcoin is currently more of a asset than a currency. And a crash is not the only risk Bitcoin users face. As the price rises, Bitcoin theft is increasing, both from individuals and from online exchanges.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
11/27/2013 | 3:59:55 PM
Technical chops needed on both sides of currency
BitCoin had the technical chops to generate a credible currency. But BitCoin vaults and wallets haven't had the technical chops to store it safely. A rapid gain in value lead to too many  rapid and successful cyber assaults 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
11/27/2013 | 9:50:38 PM
Re: Technical chops needed on both sides of currency
@cbabcock: Reminds me of a saying my dad has: "It's easy to make the money; the hard part is keeping it."

In Bitcoin's case, that seems to be literally true.
ChawChaw
50%
50%
ChawChaw,
User Rank: Apprentice
11/27/2013 | 4:05:55 PM
Bitcoin is bad
The author mentions MtGox as a source for the valuation of a Bitcoin, but fails to mention that in 2011 MtGox was hacked and Email addresses and un-encrypted passwords were posted on the net.

Bitcoins compete with the dollar. Why would any American want more competition in their lives?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
11/27/2013 | 9:46:32 PM
Bitcoin Banking
It is absolutely ridiculous to me that people would entrust their wealth to these companies without any meaningful vetting, security, insurance, qualifications, etc..

I mean, I get that the whole movement behind Bitcoin is to have a decentralized anti-establishment monetary system, but this is the reason why other monetary systems are "establishment."

Until digital currency has a real, trustworthy, effective banking system, this is going to continue to happen, and Bitcoin and its brethren will continue to be fringe monies.
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
12/1/2013 | 8:55:04 PM
Re: Bitcoin Banking
The bitcoin is something new but the concept is not. In Internet world there is this kind of inventions. For example, in China a company named Tencent has so-called "Q coin", which you can use for online transaction but it's not equivalent to bitcoin - you cannot use it in exchange for cash. I believe the trend will continue and in the long run the security will be the biggest concern.
RachelB318
50%
50%
RachelB318,
User Rank: Apprentice
11/28/2013 | 10:14:49 AM
How spend Bitcoin anywhere
Spend bitcoin anywhere in the world. https://www.plazacoin.com/?aff=529451ba4a49d
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Ninja
12/2/2013 | 11:22:07 AM
Old advice applies
My dad always told me to buy low and sell high. Seems like BitCoins are akin to junk bonds -- maybe worth buying low at $3 for the novelty, see if they appreciate. But that's not the basis for long-term success as a currency.
KashfiyaRafa
50%
50%
KashfiyaRafa,
User Rank: Apprentice
12/22/2013 | 9:15:55 AM
Myriad Development of Bitcoin Platform CryptoCafe.com

Hi,

Bitcoin going to save the global economy, Bitcoins are digital coins transferred from person to person, without using a bank or centralized service. 

Bitcoin is not a system of claims. Bitcoin is a pseudo-commodity, not a claim. People who purchase Bitcoins do not have a claim on anybody, nor does anybody have a claim on them. The biggest difference between bitcoin and other virtual currencies is that bitcoins are the only one which have speculative value. 


CryptoCafe is going to be big in the world of Bitcoin, be sure to sign up for the big  release announcement. The website is owned by a public company called Myriad Interactive, the stock symbol is MYRY and its predicted to be very big!

 

Myriad Interactive Media Begins Development of Bitcoin Platform CryptoCafe.com

Thanks :)

infinitnet
50%
50%
infinitnet,
User Rank: Apprentice
1/3/2014 | 10:51:16 AM
Bitcoin Pools/Exchangers DDoS Protection
The size and amount of DDoS attacks is constantly growing, especially when it comes to Bitcoin - be it Exchangers, Mining Pools, Forums or anything really. Especially Bitcoin mining pools are targeted by DDoS attacks lately and if you operate one, you should always consider to keep it DDoS protected from the beginning, to avoid your miners leaving as soon as a DDoS attack hits.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?