Bitcoins: Currency of the future, or perpetual plaything of Ponzi-schemers and money launderers?
Regardless of your views on the virtual currency or value system, just like dollars -- physical or electronic -- the cryptographic currency can be used for honest and dishonest dealings alike. But by using bitcoins, people expose themselves to additional information security risks. For starters, that's because the skyrocketing value of a bitcoin has driven criminals to hunt for, and exploit, any and every related weakness they can find. Furthermore, when it comes to the infrastructure supporting bitcoins, weaknesses abound.
With that in mind, here are seven reasons why the increasing volume of bitcoin-targeting attacks won't stop.
1. Cybercrime follows the money
Criminals aren't just tapping bitcoins to disguise or launder illegal transactions. They're also trying to steal bitcoins themselves, which by virtue of being a cryptographic currency are incredibly difficult to trace. Also, with the value of a bitcoin at times reaching $1,200, cybercriminals who pull off even a small heist may net a million-dollar payday. "How can they ignore so much value?" said Etay Maor, a cybercrime expert who works for IBM's Trusteer, speaking by phone.
[Want to learn more about bitcoin heists? See Bitcoin Thefts Surge, DDoS Hackers Take Millions.]
2. Bitcoin infrastructure: still in its infancy
When it comes to protecting bitcoin transactions, however, consider what happens when you go online with an FDIC-certified bank: For starters, most banks have deployed an array of defenses against online attackers, including anti-phishing software and adaptive authentication checks. Attackers can be further foiled by using one-time approval codes sent via SMS, or providing customers with a key fob that generates a secure authentication code, either of which can be required before money transfers or other high-risk activities are allowed to proceed. Finally, all of those processes are backed by fraud detection departments and systems that can automatically freeze accounts at the first sign of any suspicious activity.
Now, how many bitcoin exchanges or payment providers offer similar levels of information security? "They're not like these banking websites that have been around for 10 years and have experienced multiple attacks. So they make a better target," said Trusteer's Maor.
He added as a disclaimer that he hasn't personally reviewed the security of any bitcoin sites. "So I don't want to say they're not secure -- because I haven't checked out their security. But they're less experienced," he said. "And yet, they're still handling millions if not billions in money." Is it any surprise they're being targeted by attackers trying to exploit any vulnerability they can find in those sites to make a quick and untraceable buck?
3. Banking malware adaptable to bitcoins
People who store bitcoins on their PCs have already been targeted by malware that scans for bitcoin files, then copies them for the attackers. Targeting bitcoin exchange users turns out to be a relatively simple exercise, at least for existing crimeware toolkit builders and by extension their customers.
Take the Gameover malware, which is a Zeus variant designed to target banks. "I don't want to give the bad guys credit, but it's one of the better versions of Zeus," Maor said. One feature of the malware is that, on any system it's infected, it waits for a user to connect to a designated banking website, then steals their login credentials and relays them to attackers.
About three weeks ago, however, a new version of Gameover debuted that also began watching for anyone who connected to Shanghai-based BTC China Exchange, which handles 40% of the world's bitcoin transactions. BTC China does employ one-time codes to verify transactions. Accordingly, the malware will hide any attacker-made transactions -- using HTML injection -- and, in a social engineering attack, tell the user that they should input the one-time code they're about to receive as a security check. If they do, the malware siphons off their holdings.
Technically speaking, adapting Gameover to steal bitcoins required only a minor upgrade. "It's simply adding a new target to the long list of targets that it has," Maor said. "Everyone knows banking applications and services are targeted, but they should know that these bitcoin services are a target too."
4. Bitcoin exchanges are like banks -- in the Wild West
As the Gameover variant suggests, anyone buying or selling bitcoins is signing up for a set of risks that go beyond the fluctuating value of their currency, starting with ones from the very organizations that they rely on to handle the currency. "It really is a modern-day bank on the frontier, the old Western bank," said Carl Herberger, VP of security solutions at Radware, speaking by phone.
Unlike a modern-day Wells Fargo, bitcoin depositors must worry not only if their funds will be stored securely, but also if their banker is really a banker. For example, the China-based bitcoin exchange GBL, which launched in May, shut without warning in October, when whoever was running the site absconded with almost 1,000 of people's bitcoins, which were worth about $4.1 million.
The same month as that scam, two separate attacks against Australia-based Inputs.io resulted in the theft of all 4,100 bitcoins -- worth about $1.3 million -- being held by the web wallet service, which had advertised itself as being a "free and secure bitcoin wallet for everyone." Likewise, in November, hackers used a distributed denial-of-service (DDoS) attack to disguise a heist of 1,285 bitcoins -- worth almost $1 million -- from an e-wallet service offered by Denmark-based processing provider Bitcoin Internet Payment System (BIPS).
Needless to say, those e-wallet heists lead security experts to warn users against storing any bitcoins online.
5. Spammers can target bitcoins too
Criminals have also been targeting bitcoin users via spam attacks and bogus websites. For example, Kenny MacDermid, a security research analyst with Arbor Networks' ASERT team, recently said he'd received three copies -- in a single day -- of spam from bitcoin-alarm.net. The site offers instructional videos, as well as a free, downloadable Windows executable called BitcoinAlarm.exe, which purports to tell users when the value of bitcoins fluctuates.
Is the application legitimate? In fact, MacDermid's scans of the executable found that it will install a script on the system that first checks to see if antivirus applications are running, which is never a good sign. "A scan of the rest of the file contains other interesting methods like 'disable_uac,' 'anti_hook,' 'persistence,' 'botkiller,' 'downloader,' 'disable_syste_restore,'" MacDermid said in a blog post.
Digging a bit deeper, another file dropped by the installer is a remote-access Trojan called NetWiredRC, which is used to steal login information, and "likely in this case being used to steal bitcoins," MacDermid said. In case you had any doubts, the Trojan also connects to "bitcoins.dd-dns.de." As of Thursday, 23 out of 49 virus engines flagged Bitcoin Alarm as malicious. But last week, it was only being flagged by Kaspersky Lab.
6. Criminals can dump bitcoins quickly
Theoretically, government agencies running a massive digital dragnet could track some bitcoin transactions -- especially with taps on the right computers -- and unmask the identity of criminals who steal bitcoins and convert them to cash. But as a practical matter, individual bitcoin users shouldn't expect that stolen bitcoins will ever be returned to them. That's not just because bitcoins are relatively untraceable. It's also because criminals dump them as fast as possible.
"It seems cybercriminals are not bitcoins value speculators -- they are interested in quickly monetizing stolen bitcoins or using them as money-laundering mechanism," according to Maor. "They sometimes use additional services such as the Tor hidden service 'Bitcoin Fog Company' as an additional anti-trace back-step."
7. Legal nods suggest bitcoin is here to stay
During the past month, the People's Bank of China has been cracking down on virtual currencies, first by prohibiting Chinese financial institutions from handling bitcoins. This week, the central bank expanded its restrictions, announcing that by the end of January all of the country's third-party payment providers must stop providing clearing services for cryptographic virtual currencies, including bitcoin and litecoin. Cue a selloff, with the news sending the value of bitcoins plummeting by about 40%.
But China is unlikely to blunt investors' enthusiasm in the virtual currency. In fact, many people's optimism has been buoyed by a US Department of Justice official last month telling a Senate committee that bitcoins could be a "legal means of exchange," thus seeming to bolster the virtual currency's long-term viability. "We all recognize that virtual currencies, in and of themselves, are not illegal," Mythili Raman, acting assistant attorney general of the Justice Department's criminal division, said at the Senate hearing.
Likewise, PayPal president David Marcus said earlier this month at the LeWeb conference in Paris that his company would consider accepting bitcoins if their value stopped fluctuating so wildly. "It won't be a currency until volatility slows down," he said. "Whenever the regulatory framework is clearer, and the volatility comes down, then we'll consider it."
In other words, bitcoins' long-term prospects look good. But for all the reasons outlined above, including the weaknesses in many institutions that touch bitcoins, don't expect attackers to discontinue cooking up new ways to steal the cryptographic currency -- and succeeding.
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.
The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)