Vulnerabilities / Threats
12/19/2013
01:30 PM
Connect Directly
RSS
E-Mail
100%
0%

7 Reasons Why Bitcoin Attacks Will Continue

Cryptographic currency's rising value makes it an appealing target for cybercrime gangs and crimeware toolkit developers.

Bitcoins: Currency of the future, or perpetual plaything of Ponzi-schemers and money launderers?

Regardless of your views on the virtual currency or value system, just like dollars -- physical or electronic -- the cryptographic currency can be used for honest and dishonest dealings alike. But by using bitcoins, people expose themselves to additional information security risks. For starters, that's because the skyrocketing value of a bitcoin has driven criminals to hunt for, and exploit, any and every related weakness they can find. Furthermore, when it comes to the infrastructure supporting bitcoins, weaknesses abound.

With that in mind, here are seven reasons why the increasing volume of bitcoin-targeting attacks won't stop.

1. Cybercrime follows the money
Criminals aren't just tapping bitcoins to disguise or launder illegal transactions. They're also trying to steal bitcoins themselves, which by virtue of being a cryptographic currency are incredibly difficult to trace. Also, with the value of a bitcoin at times reaching $1,200, cybercriminals who pull off even a small heist may net a million-dollar payday. "How can they ignore so much value?" said Etay Maor, a cybercrime expert who works for IBM's Trusteer, speaking by phone.

[Want to learn more about bitcoin heists? See Bitcoin Thefts Surge, DDoS Hackers Take Millions.]

2. Bitcoin infrastructure: still in its infancy
When it comes to protecting bitcoin transactions, however, consider what happens when you go online with an FDIC-certified bank: For starters, most banks have deployed an array of defenses against online attackers, including anti-phishing software and adaptive authentication checks. Attackers can be further foiled by using one-time approval codes sent via SMS, or providing customers with a key fob that generates a secure authentication code, either of which can be required before money transfers or other high-risk activities are allowed to proceed. Finally, all of those processes are backed by fraud detection departments and systems that can automatically freeze accounts at the first sign of any suspicious activity.

Now, how many bitcoin exchanges or payment providers offer similar levels of information security? "They're not like these banking websites that have been around for 10 years and have experienced multiple attacks. So they make a better target," said Trusteer's Maor.

He added as a disclaimer that he hasn't personally reviewed the security of any bitcoin sites. "So I don't want to say they're not secure -- because I haven't checked out their security. But they're less experienced," he said. "And yet, they're still handling millions if not billions in money." Is it any surprise they're being targeted by attackers trying to exploit any vulnerability they can find in those sites to make a quick and untraceable buck?

3. Banking malware adaptable to bitcoins
People who store bitcoins on their PCs have already been targeted by malware that scans for bitcoin files, then copies them for the attackers. Targeting bitcoin exchange users turns out to be a relatively simple exercise, at least for existing crimeware toolkit builders and by extension their customers.

Take the Gameover malware, which is a Zeus variant designed to target banks. "I don't want to give the bad guys credit, but it's one of the better versions of Zeus," Maor said. One feature of the malware is that, on any system it's infected, it waits for a user to connect to a designated banking website, then steals their login credentials and relays them to attackers.

About three weeks ago, however, a new version of Gameover debuted that also began watching for anyone who connected to Shanghai-based BTC China Exchange, which handles 40% of the world's bitcoin transactions. BTC China does employ one-time codes to verify transactions. Accordingly, the malware will hide any attacker-made transactions -- using HTML injection -- and, in a social engineering attack, tell the user that they should input the one-time code they're about to receive as a security check. If they do, the malware siphons off their holdings.

Technically speaking, adapting Gameover to steal bitcoins required only a minor upgrade. "It's simply adding a new target to the long list of targets that it has," Maor said. "Everyone knows banking applications and services are targeted, but they should know that these bitcoin services are a target too."

4. Bitcoin exchanges are like banks -- in the Wild West
As the Gameover variant suggests, anyone buying or selling bitcoins is signing up for a set of risks that go beyond the fluctuating value of their currency, starting with ones from the very organizations that they rely on to handle the currency. "It really is a modern-day bank on the frontier, the old Western bank," said Carl Herberger, VP of security solutions at Radware, speaking by phone.

Unlike a modern-day Wells Fargo, bitcoin depositors must worry not only if their funds will be stored securely, but also if their banker is really a banker. For example, the China-based bitcoin exchange GBL, which launched in May, shut without warning in October, when whoever was running the site absconded with almost 1,000 of people's bitcoins, which were worth about $4.1 million.

The same month as that scam, two separate attacks against Australia-based Inputs.io resulted in the theft of all 4,100 bitcoins -- worth about $1.3 million -- being held by the web wallet service, which had advertised itself as being a "free and secure bitcoin wallet for everyone." Likewise, in November, hackers used a distributed denial-of-service (DDoS) attack to disguise a heist of 1,285 bitcoins -- worth almost $1 million -- from an e-wallet service offered by Denmark-based processing provider Bitcoin Internet Payment System (BIPS).

Needless to say, those e-wallet heists lead security experts to warn users against storing any bitcoins online.

5. Spammers can target bitcoins too
Criminals have also been targeting bitcoin users via spam attacks and bogus websites. For example, Kenny MacDermid, a security research analyst with Arbor Networks' ASERT team, recently said he'd received three copies -- in a single day -- of spam from bitcoin-alarm.net. The site offers instructional videos, as well as a free, downloadable Windows executable called BitcoinAlarm.exe, which purports to tell users when the value of bitcoins fluctuates.

Is the application legitimate? In fact, MacDermid's scans of the executable found that it will install a script on the system that first checks to see if antivirus applications are running, which is never a good sign. "A scan of the rest of the file contains other interesting methods like 'disable_uac,' 'anti_hook,' 'persistence,' 'botkiller,' 'downloader,' 'disable_syste_restore,'" MacDermid said in a blog post.

Digging a bit deeper, another file dropped by the installer is a remote-access Trojan called NetWiredRC, which is used to steal login information, and "likely in this case being used to steal bitcoins," MacDermid said. In case you had any doubts, the Trojan also connects to "bitcoins.dd-dns.de." As of Thursday, 23 out of 49 virus engines flagged Bitcoin Alarm as malicious. But last week, it was only being flagged by Kaspersky Lab.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
infinitnet
50%
50%
infinitnet,
User Rank: Apprentice
1/3/2014 | 10:55:44 AM
Bitcoin DDoS attacks
Every operator of a Bitcoin mining pool should protect his business as well as his users from cyber criminals by using a proper DDoS protection (read: http://www.r00t-services.net/announcements/8/Bitcoin-Mining-Pools-and-DDoS-Attacks.html) to avoid all those problems.
Faye Kane, homeless brain
50%
50%
Faye Kane, homeless brain,
User Rank: Apprentice
12/30/2013 | 10:02:22 PM
Well, I guess I ought to reply to that because it's so mean
 

Look,  I only came here to read the latest news about our industry.  But you dragged the conversation off a technical topic because you're mad at me. I couldn't care less, because I'm autistic, but eventually you'll blame ME for making this personal. And I don't want that. My only post for this article was about bitcoins use. That is, until now, after you changed the subject to rape and my opinion of it.  I wish I could just S T F U and let you malign me and misrepresent something I said.  But I can't.  I don't actually know why, but it has something to do with integrity.

Everybody has a right to their opinions without being hated for them.  You can only judge what people do, not how they feel about something. So don't blame ME for YOUR anger at my opinions. This post is intended as a shotgun blast to give the lie to your unfair assertions. It's also to end this conversation about my attitudes concerning rape, which you started. So don't raise hell and get all offended when that's exactly what this is.

...or I'll spank you in public agan.

[sigh...] Okay, you're probably referring to this:

"Women's lib gone mad redefined "rape" to include all kinds of non-coercive, fun things."

Read my post again, inattentive angry guy.  How is that equating genuine forcible rape with a simple compliment?

That's not a rhetorical question, Poindexter.

Also, you chastise me for my supposed opinion of rape victims, which you deem not sufficiently reverent:

"These two things are not even in the same universe of comparisons, and for you to attempt to do so is an insult in addition to the injury on the person of anyone who has ever been sexually molested and attacked."

WELL, since you inappropriately brought up my attitude about this inappropriate topic, I 'll say right now that I do NOT think that a compliment at work is the same as rape.

Meaningless compliments are nowhere NEAR as exciting as being raped against your will by a complete stranger.

Well, at least, *I* liked it.  And so did the 40% of women who orgasm during stranger rape. Judging from my experience, the other 60% almost did, but the man finished first.

Here, see for yourself in an academic article by a female scientist (Journal of Clinical Forensic Medicine vol. 11, p. 82).

Or you can just read this, by a (female) rape crisis therapist:

The basic concept of experiencing orgasm during rape is a confusing and difficult one for many people, both survivors and those connected to survivors.

There are people who do not believe it's possible for a woman or man to achieve orgasm during rape or other kinds of violent sexual assault. Some believe having an orgasm under these circumstances means that it wasn't a "real" rape or the woman/man "wanted" it.

I've assisted more young women than I can count with this very issue. It often comes up at some point during therapy and it's extremely embarrassing or shameful to talk about. However once it's out in the open, the survivor can look at her/his reaction honestly and begin to heal. The shame and guilt around it is a large part of why some rapes go unreported and why there is a need for better understanding in society for how and why this occurs.

There have been very few studies on orgasm during rape, but the research so far shows numbers from 10% to over 50% having this experience. In my experience as a therapist, it has been somewhat less than half of the girls/women I've worked with.

[ Which is around 40%, just what the journal article says ]

In professional discussions, colleagues report similar numbers. Therapists don't usually talk about this publicly as they fear contributing to the idea of victims "enjoying rape." It's also a reason why there isn't more research done on this and similar topics. My belief is that as difficult a topic as this is, if we can address it directly and remove the shame and stigma, then a lot more healing can happen.

======================

As for me, I was unimaginably shy in 2001 when it happened. Pathological. I only spoke in a whisper and never looked at anybody. Then IT happened. I was raped for two days by a sadistic stranger who was overflowing with the "sexual anger." Some of things he made me endure would almost certainly match the definition of "torture." He let me go after two continuous, nonstop days of this: when he was sleeping, I was still being hurt. He knew damn well that I wouldn't call the police about something I discovered I crave.

But even though I was tied down, unable to move even a little, and crying the whole time, it was a necessary and wonderful epiphany, like a religious revelation. A truth I had run away and hid from was forced into me. Now I'm an outspoken smartmouth smartass, and I'm not scared of anyone or anything, ever.

There's a whole lot more to it than that, but it basically had to do with remembering a horrible, wonderful  truth I( had always suppressed: that I'm not just a systems programmer, I'm also a female animal that exists for a single reason: to be brutally mated and die.

Here, read all the details.

Writing that was cathartic. It let me see the Big Picture. You'll be furious at me for such a shameful, depraved narrative, even though it's just a description of the bad things a man did to me one weekend.

...Well, you'll be furious at me right after you put the hand lotion away.

Though the things he did were more unimaginably painful than I thought was possible to feel, it was also intensely pleasurable at a deep level I didn't even know existed in me. It was a beautiful, transformative experience that changed my life which I will never, EVER do again.  But the truth made me free: I'm now a sex slave for a group house where I have to be naked all the time. A girl I knew in college llets me live here for free. Pix on my blog.

For 10 years I've posted stuff there specifically to spread the Good News for all-too modern man: you too can be a serial rapist—it's not just for stupid people anymore.

We hate in others what we fear in ourselves:

"These two things are not even in the same universe of comparisons, and, for you to attempt to do so is an insult in addition to the injury on the person of anyone who has ever been sexually molested and attacked."

Right. I feel ashamed of myself and intimidated. I'll probably make hari kari to attone for my sin of liking rape and daring to say that at least 40% of the other "victims" do, too.

Now then, geek, will you continue trying to intimidate me and double down on your angry, wrong beliefs? Or will you come to your senses and discontinue this unfortunate, off-topic conversation by not replying to this?

I pray for the latter, so we can go back to discussing Bitcoins.

♥,

-faye kane ♀ girl brain ♀ My blog

 

asksqn
50%
50%
asksqn,
User Rank: Apprentice
12/30/2013 | 4:26:34 PM
Re: It's not about government taxes; it's about government, per se.
I agreed with you right up til you equated rape with getting complimented at work. These two things are not even in the same universe of comparisons, and, for you to attempt to do so is an insult in addition to the injury on the person of anyone who has ever been sexually molested and attacked.
asksqn
50%
50%
asksqn,
User Rank: Apprentice
12/30/2013 | 4:12:55 PM
Welcome to the jungle
Bitcoin is a viable alternative to the central banking cartel, but unless and until an established marketplace such as eBay gets on board with it, it will continue to be the wild, wild west den of thieves it currently is.
Faye___Kane
0%
100%
Faye___Kane,
User Rank: Apprentice
12/21/2013 | 3:47:41 PM
It's not about government taxes; it's about government, per se.
 

I'm pretty sure very few people go to all the trouble of bitcoin just to avoid sales tax. Very few "normal" items are buyable in bitcoin anyway. And no one who makes a million dollars a year and gets taxed for it keeps it in bitcoin. The real reason it's popular:

People use bitcoin to buy harmless things that the 21st-century, NSA-infested American  government doesn't want you to have.

Our society has become more and more repressive, thanks to Liberals winning the culture war of the 60's. I'm so Liberal I'm probably a communist, but that's no excuse for jack-booting other people.

Just one example: Women's lib started out with outrage against guys beating up their wives and telling the judge "Aww, I was just drunk." Also, there were asymmetric laws favoring men. But it didn't stop when we ended those. Soon, they redefined "rape" to include all kinds of non-coersive, fun things.  Google the guy who got fired for telling a Seinfeld joke from TV. 

Now, guys are terrified to compliment us at work. That's horrible. The "n-word" is another example. Saying it used to just mean that you're ignorant and stupid. Now it's a "hate crime". Gambling is another example, and there are plenty more.

We have met the new boss, same as the old boss, and he is us.

People use bitcoin for gambling because the government won't let them use Visa. Guys use bitcoin to buy porn that's legal everywhere but the US—pictures in which the "victims" obviously enjoy their job. In every country in Europe, the age of consent is 16 or less, and most are 14 or 13.  Yes, really: http://tinyurl.com/euroconsent

People use bitcoin to buy weed which is legal in 3 states and that never should have been illegal in the first place. They also buy medicine that the drug companies are allowed to charge $15/pill for and (in my case) Adderall for ADD that I'd otherwise have to pay a shrink $120 a visit for plus an outrageous price at the pharmacy.

Until people demand that the government stops spying on us, stops taking bribes from big business, and stops putting people in Security Prison for "crimes" without any victim,  people will continue to use bitcoin.

But it's not about sales tax. Just as in many other countries, it's about technology making us free from government gone mad.


 
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
12/21/2013 | 3:04:36 PM
Play with fire - you might get burned.
As far as I can tell, the main purpose of Bitcoin is for someone to hide whatever he or she is doing from governments, and especially the tax authorities. Since there is no honor among thieves, it's quite possible that, outside the protection of the law and the scrutiny of the banks, that person will become a victim rather than a successful tax evader. "As ye sow, so shall ye reap."
anon2632018287
50%
50%
anon2632018287,
User Rank: Apprentice
12/19/2013 | 10:22:28 PM
Other attacks
Other attacks include infiltrating accounts and setting up/getting API keys.  These keys allow the normal login to be circumvented and they are used for such things as automated trading programs.

One attack/spam attampt is to register an address at blockchain.info and link that address to a web site.  Then send out very small amounts of Bitcoin.  If the user checks blockchain.info to see what the transaction is they may click on the link.

If someone says to send your Bitcoins to a Bitcoin "doubler" that runs some kind of special algorithm that doubles your balance ... don't do it!
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.