Attacks/Breaches

3/22/2018
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Criminals Using Web Injects to Steal Cryptocurrency

Man-in-the-browser attacks targeting Blockchain.info and Coinbase websites, SecurityScorecard says.

Criminals have deployed a variety of tactics in recent months to try and profit from the cryptocurrency boom.

One of them is the use of Web injects to intercept and modify traffic between user browsers and cryptocurrency sites in order to steal coins from victims and transfer it to accounts held by criminals.

Third-party risk management firm SecurityScorecard says it has seen recent evidence of threat actors using Web injects to target cryptocurrency exchange Coinbase and Bitcoin wallet Blockchain.info. Tens of thousands of bots can run the Web injects to steal cryptocurrency, making them a potent threat for investors and exchanges, according to SecurityScorecard.

A Web inject is basically code for injecting malicious content into a Web page before the page is rendered on a user's browser. This work by intercepting and modifying traffic between a Web server and user browser in such a manner that the victim typically does not notice anything amiss.

Web injects can be used to add or delete content on the Web pages that a victim sees. For instance, a Web inject can be used to add a field in the login screen for capturing the PIN a user might use to access his or her bank account, or it can be used to delete warnings that a user might normally see when viewing a particular Web page. Web injects typically have been used to steal credentials for accessing bank accounts, but recently have begun to play a role in cryptocurrency heists as well.

Bot masters can readily buy the Web injects for Coinbase and Blockchain.info and distribute them to infected computers in a botnet, says Doina Cosovan, malware researcher at SecurityScorecard. The malware installed on those infected computers receive the Web injects and inject them in the Coinbase and Blockchain.info websites if a user happens to visit either site.

These Web injects are provided as a service, so different malware families can use them. Cosovan says. "We noticed Zeus and Ramnit in particular, but these are simply examples we observed. Any other bot master controlling bots infected with a malware family which has capabilities to inject code in websites can buy and use these Web injects on their bots," she notes.

The Web inject for Coinbase that SecurityScorecard discovered is designed to change the settings on a victim's account in order to enable digital coin transfers without requiring the user's confirmation. When a user tries to log in to his or her Coinbase account, the injected JavaScript content first disables the "Enter" key for the email and password fields so the user has to actually click on the "Submit" button in order to submit the form, according to SecurityScorecard.

It also creates a new button that has mostly the same attributes as the original button, and a few additional malicious ones. It then adds the rogue "Submit" button on top of the original sign-in button so that the victim clicks on the malicious button rather than the original. The ultimate goal is to capture the victim's multifactor authentication information and then using it to change account settings so further transactions can be carried out without requiring the user's approval.

"Once this change is made, the injected content can start making transactions without the need to authorize them with [two-factor authentication]," Cosovan says. "Even more, the user's access to the settings is blocked, so that he can't enable the two-factor authentication for transactions," she adds.

The Blockchain.info Web inject has somewhat similar functionality but in this case is designed to steal from a user's Bitcoin wallet and transfer the digital currency to accounts held by threat actors. As a final touch, the Web inject presents the user with a "Service Unavailable" notice after stealing the cryptocurrency, thereby delaying the victim's ability to detect the theft, SecurityScorecard said.

The use of Web injects in cryptocurrency theft is one of many tactics that cybercriminals are employing to profit from the surging interest in Bitcoin, Monero, and other cryptocurrencies worldwide. Even as defenders have adapted their tactics to deal with threats, criminals have come up with new ways around them.

The latest, reported by security vendor Minerva this week, is a campaign it has dubbed GhostMiner, which involves the use of fileless crypto-mining malware. According to Minerva, the operators of the campaign are using PowerShell frameworks to conceal the presence of crypto-mining software on infected systems.

According to the company, the tactics employed in the campaign have been extremely effective at bypassing anti-malware tools. Some of the payloads being used in the campaign were completely undetected by products from all major security vendors, Minerva said.

Related content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1786
PUBLISHED: 2018-11-12
IBM Spectrum Protect 7.1 and 8.1 dsmc and dsmcad processes incorrectly accumulate TCP/IP sockets in a CLOSE_WAIT state. This can cause TCP/IP resource leakage and may result in a denial of service. IBM X-Force ID: 148871.
CVE-2018-1798
PUBLISHED: 2018-11-12
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1884
PUBLISHED: 2018-11-12
IBM Case Manager 5.2.0.0, 5.2.0.4, 5.2.1.0, 5.2.1.7, 5.3.0.0, and 5.3.3.0 is vulnerabile to a "zip slip" vulnerability which could allow a remote attacker to execute code using directory traversal techniques. IBM X-Force ID: 151970.
CVE-2018-19203
PUBLISHED: 2018-11-12
PRTG Network Monitor before 18.2.41.1652 allows remote unauthenticated attackers to terminate the PRTG Core Server Service via a special HTTP request.
CVE-2018-19204
PUBLISHED: 2018-11-12
PRTG Network Monitor before 18.3.44.2054 allows a remote authenticated attacker (with read-write privileges) to execute arbitrary code and OS commands with system privileges. When creating an HTTP Advanced Sensor, the user's input in the POST parameter 'proxyport_' is mishandled. The attacker can cr...