Hackers infiltrated analytics platform used by 2m sites to syphon Bitcoin from gate.io

“Supply-chain attack” saw more than 680,000 sites actively infected but the code only specified an address used by gate.io

Graphic of a person stealing cryptocurrency from a laptop

Hackers infiltrated an online analytics platform used by more than two million other websites over the weekend, but did so to target just one cryptocurrency exchange platform.

Malicious code injected into a StatCounter tracking script infected every site that uses the analytics service  currently 688,154  but the code itself singled out just one uniform resource identifier (URI) 'myaccount/withdraw/BTC' seemingly used by gate.io.

Advertisement - Article continues below

Gate.io is a popular cryptocurrency exchange platform valued at more than $33 million, with more than $2.8 million in Bitcoin exchanged in just the last 24 hours at the time of writing.

But findings published by ESET showed how attackers, in this "supply-chain attack", infiltrated StatCounter to intercept Bitcoin exchanges made via the platform to syphon away cryptocurrency for themselves.

StatCounter was infiltrated on 3 November, security researcher Matthieu Faou wrote, and the platform removed the infected script three days later.

During that time, gate.io also stopped using StatCounter's analytics service, nullifying the threat. But it is unclear how much cryptocurrency may have been stolen during the short period the infection was active.

"Even if we do not know how many Bitcoins have been stolen during this attack, it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange," Faou wrote.

Advertisement
Advertisement - Article continues below

"To achieve this they compromised an analytics service's website, used by more than two million other websites, including several government-related websites, to steal Bitcoin from customers of just one cryptocurrency exchange website.

Advertisement - Article continues below

"It also shows that even if your website is updated and well protected, it is still vulnerable to the weakest link, which in this case was an external resource.

"This is another reminder that external JavaScript code is under the control of a third party and can be modified at any time without notice."

The hackers modified the JavaScript-written code by adding a malicious element in the middle of the script, which Faou noted as unusual given attackers generally add malicious code at the beginning, or end of a legitimate file. Code injected into the middle, however, is typically harder to detect when examined by eye.

Moreover, they registered a domain very similar to the legitimate StatCounter one, https://www.statconuter[.]com/c.php, which can also be difficult to detect by eye when scanning logs for unusual activity.

The script was specifically injected into gate.io's 'transfer' web page, where users can transfer the cryptocurrency from a gate.io account to an external Bitcoin address.

Advertisement - Article continues below

It worked by automatically replacing this destination transfer address with an address owned by attackers, with a malicious server generating a fresh Bitcoin address each time a visitor loads the malicious URL.

"On 6 November 2018, we got the notice from ESET researcher's report and the "ESET Internet Security" product that there's a suspicious behaviour in StatCounter's traffic stats service," gate.io said in a statement.

"We immediately scanned it on Virustotal in 56 antivirus products. No one reported any suspicious behaviour at that time.

"However, we still immediately removed the StatCounter's service. After that, we didn't find any other suspicious behaviours. The users' funds are safe."

Despite touted as a secure form of currency exchange, cited by its advocates as one of the benefits over traditional currency, Bitcoin has been dogged with several high-profile thefts and security concerns.

Malicious Bitcoin mining scripts, also known as cryptojacking, in particular, has emerged as a popular form of attack on unsuspecting web users.

Thousands of government websites, for example, were hit by a massive mining hack in February, with attackers hijacking their computer power to mine several cryptocurrencies.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020