Criminal Web-Injects Can Steal Cryptocurrency

Criminals have deployed a variety of tactics in recent months to try and profit from the cryptocurrency boom. One of them is the use of Web injects to intercept and modify traffic between user browsers and cryptocurrency sites in order to steal coins from victims and transfer it to accounts held by criminals.

Third-party risk management firm SecurityScorecard says it has seen recent evidence of threat actors using Web injects to target crypto-currency exchange Coinbase and Bitcoin wallet Blockchain.info.

Tens of thousands of bots can run the Web injects to steal crypto-currency, making them a potent threat for investors and exchanges, according to SecurityScorecard.

A Web inject is basically code for injecting malicious content into a Web page before the page is rendered on a user's browser. This work by intercepting and modifying traffic between a Web server and user browser in such a manner that the victim typically does not notice anything amiss.

Web injects can be used to add or delete content on the Web pages that a victim sees. For instance, a Web inject can be used to add a field in the login screen for capturing the PIN a user might use to access his or her bank account, or it can be used to delete warnings that a user might normally see when viewing a particular Web page.

Web injects typically have been used to steal credentials for accessing bank accounts, but recently have begun to play a role in crypto-currency heists as well.

Bot masters can readily buy the Web injects for Coinbase and Blockchain.info and distribute them to infected computers in a botnet, says Doina Cosovan, malware researcher at SecurityScorecard.

The malware installed on those infected computers receive the Web injects and inject them in the Coinbase and Blockchain.info websites if a user happens to visit either site.

These Web injects are provided as a service, so different malware families can use them. Cosovan says. "We noticed Zeus and Ramnit in particular, but these are simply examples we observed.

Any other bot master controlling bots infected with a malware family which has capabilities to inject code in websites can buy and use these Web injects on their bots," she notes.

The Web inject for Coinbase that SecurityScorecard discovered is designed to change the settings on a victim's account in order to enable digital coin transfers without requiring the user's confirmation.

When a user tries to log in to his or her Coinbase account, the injected JavaScript content first disables the "Enter" key for the email and password fields so the user has to actually click on the "Submit" button in order to submit the form, according to SecurityScorecard.

It also creates a new button that has mostly the same attributes as the original button, and a few additional malicious ones. It then adds the rogue "Submit" button on top of the original sign-in button so that the victim clicks on the malicious button rather than the original.

The ultimate goal is to capture the victim's multifactor authentication information and then using it to change account settings so further transactions can be carried out without requiring the user's approval.

"Once this change is made, the injected content can start making transactions without the need to authorise them with [two-factor authentication]," Cosovan says. "Even more, the user's access to the settings is blocked, so that he can't enable the two-factor authentication for transactions," she adds.

The Blockchain.info Web inject has somewhat similar functionality but in this case is designed to steal from a user's Bitcoin wallet and transfer the digital currency to accounts held by threat actors.

As a final touch, the Web inject presents the user with a "Service Unavailable" notice after stealing the crypto-currency, thereby delaying the victim's ability to detect the theft, SecurityScorecard said.

The use of Web injects in cryptocurrency theft is one of many tactics that cybercriminals are employing to profit from the surging interest in Bitcoin, Monero, and other cryptocurrencies worldwide. Even as defenders have adapted their tactics to deal with threats, criminals have come up with new ways around them.

Dark Reading

You Might Also Read: 

World's Biggest Ever Digital Currency Theft:

Bitcoin Exchanges Under Siege:

« The Cloud Is A Key To Cyber Defence
Cambridge Analytica, Facebook & GDPR »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Prosperon Networks

Prosperon Networks

Prosperon Networks support SMB to Enterprise networks through the provisioning of network monitoring software, customisation, consultancy and installation.

Qualitèsoft Technology

Qualitèsoft Technology

Qualitèsoft Technology is a leading Software Development and Quality Assurance organization. We specialize in Custom Development, Mobile Application, Software Testing and Quality Assurance.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

BitSight Technologies

BitSight Technologies

BitSight transforms how companies manage information security risk with objective, verifiable and actionable Security Ratings.

Digiserve

Digiserve

Digiserve by Telkom Indonesia is an end-to-end managed solutions provider committed to empowering enterprises in Indonesia.

Lightship Security

Lightship Security

Lightship Security is an accredited Common Criteria and FIPS 140-2 IT security testing laboratory that specializes in test conformance automation solutions and IT product security certifications.

EPIC Insurance Brokers & Consultants

EPIC Insurance Brokers & Consultants

EPIC is an insuarnce broker and consultancy firm. Risk management services include risk consultancy and cybersecurity insurance.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Cyber Risk Aware

Cyber Risk Aware

Cyber Risk Aware provide a security awareness and phishing simulation platform that focuses on real threats and educates and empowers employees to be the first line of defence.

Knowledge Lens

Knowledge Lens

Knowledge Lens builds innovative solutions on niche technology areas such as Big Data Analytics, Data Science, Artificial Intelligence, Internet of Things, Augmented Reality, and Blockchain.

Grant Thornton

Grant Thornton

Grant Thornton is one of the world’s leading networks of independent assurance, tax and advisory firms.

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity's mission is to provide value by dramatically improving the cybersecurity posture of our clients and business partners.

Cognilytica

Cognilytica

Cognilytica’s Cognitive Project Management for AI (CPMAI) training and certification is recognized around the world as the best practices methodology for implementing successful AI & ML projects.

Diversified Technical Services Inc. (DTSI)

Diversified Technical Services Inc. (DTSI)

DTSI provides a wide range of technology solutions for Federal Agencies, the Department of Defense, and commerical organizations with capabilities including Cyber Security and DevSecOps.

AKS iQ

AKS iQ

AKS iQ leads the RegTech sector with AI, automating regulatory compliance in the banking industry and ensuring paperless TBML and CFT adherence in finance.

Togggle

Togggle

Togggle offers seamless identity verification solutions and distributed infrastructure, enabling organizations to combat fraud and ensure compliance with data protection regulations.