Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques

Published at: June 23, 2019

Much of digital assets’ appeal stems from the fact that many of them are not affiliated with or controlled by governments, central banks or transnational corporations (at least, not yet). The price paid for the independence from institutions of global capitalism, though, might sometimes be extremely high, as, in the event of cryptocurrency theft, there is no one to appeal to for recourse. Further still, the irreversible nature of blockchain transactions renders it extremely difficult to get the money back once its gone.

The villains of the internet love cryptocurrencies for the same reasons. In the last few years, marked by the spike of popularity for digital money, hackers and scammers of all sorts have perfected the art of pilfering it from unwitting users, many of whom are newcomers to the space.

Roughly a year ago, Cointelegraph had already compiled a lengthy overview of many popular crypto-stealing tricks and tips on how to avoid falling prey to them. While the list remains relevant as ever, the time has come to revisit the subject to see if there are new threats to your crypto assets to beware of.

Aggregate dynamics

A recent report by cryptocurrency intelligence firm CipherTrace estimated losses from digital currency theft and scams in the first quarter of 2019 at $356 million, with additional fraud or misappropriated fund losses amounting to $851 million in the same period. Alarmingly, this Q1 total of $1.2 billion constituted 70% of the total losses to crypto crime in all of 2018, indicating intensified hacking activity in the first months of 2019.

At the same time, a study conducted by a security company Positive Technologies registers a change in the structure of attacks. The share of cryptojacking — or, hidden cryptocurrency mining — in the overall volume of cyberattacks seems to be declining: Having reached a peak in early 2018, this type of criminal activity dropped to just 7% in the first quarter of 2019. The analysts noted, however, that the observed trend merely reflects the way malware previously used primarily for cryptojacking has become smarter and more versatile. If the virus recognizes that the machine it took over lacks processing power, it may divert to other modes of operation, such as clipboard jacking.

Researchers at Positive Technologies predicted an increase in the overall number of attacks in the second quarter of the year. Their report pointed out malware and social engineering as attackers’ most widely used tactics and recorded the increasing prominence of ransomware attacks. These findings are further corroborated by ransomware recovery company Coveware, whose analysis revealed a 89% increase in an average ransom from the fourth quarter of 2018 to the first quarter of 2019.

Related: Round-Up of Crypto Exchange Hacks So Far in 2019 — How Can They Be Stopped?

Although perpetrators of ransomware attacks demand payments in cryptocurrency, nearly always, this type of criminal activity is not specific to the crypto sphere, targeting companies from a wide range of industries. This type of intrusion entails infecting the victim’s device with a piece of code that denies the owner access to their system or data, and demanding payment to regain access. Since these attacks usually prey on fairly large corporate entities, we will skip over to those that seek to part individual crypto investors with their digital funds.

Malware or social engineering?

One intuitive way to classify attacks that target users’ digital assets could be to juxtapose those that seek to find weak spots in software (say, secretly infecting victim’s computer with an ingenious virus) and those aimed at exploiting errors in human judgement (fooling a person into handing over their wallet’s private key).

Yet, in fact, these two modes exist on a spectrum rather than on a binary scale. The most successful thefts entail some degree of participation on behalf of the victim — such as opening a phishing email, using public Wi-Fi to check a crypto wallet or willingly installing a shady app — and a piece of malicious code, whether it is a Trojan or a scam bot on Slack.

Breaking the variety of threats down according to the attack vector is perhaps a more meaningful strategy. It is also far from optimal, though, as many known viruses these days can alter their behavior according to circumstances, and are capable of both installing hidden miners and simply stealing keys as needed. The following topology is therefore highly contingent.

Clipboard hijacking

Because no one wants to manually type in long strings of random alphanumeric characters that are also case-sensitive, we all use the copy/paste function to indicate the addresses we send our coins to. Clipboard hijackers (aka clippers) are pieces of malware that detect an event of clipboard use to store a crypto wallet address then trigger a script that replaces the correct address with that of an attacker. As a result, often without the victim realizing what happened, the digital currency flows straight to the thief’s pocket. Using the same technique, clippers are capable of stealing passwords and keys as well.

Related: Crypto Crime Trends Evolving as Users Wise Up: Exchange Hacks, Darknet and Money Laundering

Perhaps the most sinister specimen of clipper malware uncovered so far in 2019 is the one that made it on the Google Play Store disguised as the mobile version of MetaMask, a popular client used to access decentralized applications (DApps) from a web browser — except, there is no MetaMask version for mobile. Although it was taken down soon after discovery, the very fact that the app managed to make it past Google Store’s defenses is impressive and it reminds us that even the authenticity of software found in major stores should not be taken for granted.

Cryptojacking

Cryptojacking, also known as hidden mining, is the covert exploitation of other users’ devices to mine cryptocurrency. Usually, a targeted computer gets infected by a Trojan that installs a miner. Victims do not get stripped of their crypto assets directly, yet the losses they sustain may be quite unpleasant, from footing enormous electricity bills to having an overloaded computer break down.

The number of detected attacks of this type exhibits a curious pattern of strong correlation with crypto prices. As the aforementioned reports suggested, the overall share of cryptojacking attacks appears to be declining this year — however, the ingenuity of their perpetrators is only growing. Some hidden mining operations may reach extraordinary scale, too: As Cointelegraph recently reported, a campaign using cryptojacking malware to mine the privacy-focused cryptocurrency turtlecoin (TRTL) was found to have infected more than 50,000 servers worldwide.

Just a few days ago, two browser extensions that secretly sponged their users’ central processing units (CPUs) to mine privacy-focused cryptocurrency monero were discovered on the official Google Chrome store. Previously, such malware was found to be hiding in legitimate Adobe Flash updates and convincingly posing as Windows installation packages.

Researchers from cybersecurity firm Trend Micro have uncovered a fascinating tactic employed by cryptocurrency hackers to smuggle monero miners onto Oracle enterprise servers. In order to obfuscate the malicious code, the program hides it in certificate files. This way, they go unnoticed by antivirus software that automatically treats certificate files as reliable.

Website clones

Having originated in the remote corners of the darknet, where online stores selling illicit substances have long been “cloned” by scammers seeking to trick drug users into transferring bitcoin to their accounts, the technique is well and alive as of June 2019. The latest example is the case of the crypto trading website Cryptohopper, whose malicious copy facilitated in the infection of the computers of unwitting crypto traders who visited it. The victims had both mining and clipboard hijacking Trojans installed, resulting in an aggregate loss of almost $260,000.

Cryptocurrency trading platforms and exchanges appear to be the area of crypto sphere most vulnerable to hacking attacks, as they present shortcuts to swaths of centrally stored digital assets. Sky Guo, CEO and co-founder of Cypherium, told Cointelegraph that this has to change in order for the industry to be able to cope with rising security threats:

“Security threats happen on the level of the software, the infrastructure. But our industry needs to realize that there are dangers attached to presenting something as ‘decentralized’ in order to cash in on the security advances of blockchain tech. Projects like Facebook’s Libra and some other major projects already leading in our industry still have central points of failure by virtue of their highly permissioned network structures, and they need to be more transparent about the security implications of such systems.”

Related: What Is Libra? Breaking Down Facebook’s New Digital Currency

Social engineering as a separate trend

The term “social engineering” refers to a broad scope of malicious activities whereby wrongdoers use human interactions to accomplish their goals. These attacks usually rely on less sophisticated technical solutions, seeking to exploit the victims’ lack of attention, literacy or understanding of the context in order to obtain sensitive information or extort digital assets. As more people without much technical sophistication flock into the crypto space, simple schemes that didn’t stand a chance with old-school crypto buffs might suddenly become efficient.

Matthew Finestone, the director of business development at Loopring, an open-source protocol for building decentralized exchanges, observed to Cointelegraph:

“I really see attacks drawing on human inattention becoming more prevalent. It's dangerous because newcomers to the space aren't aware of these threats, and they often fail to realize that there is no recourse after cryptocurrency is sent, unlike traditional financial systems that can bail you out in worst case scenarios. Being careful, and learning from resources such as your article are a good starting point.”

Finestone also recalled his recent experiences with two rather simplistic social engineering schemes: one that came with an aggressive threat to release some harmful or embarrassing information if a crypto ransom was not sent to them shortly and another pretending to come from a friend or colleague asking for some coins. He concluded that both, like the majority of social engineering schemes, could be easily combated with vigilance and a healthy dose of common sense.

In fact, these universal principles apply to any type of potential attack aimed at your digital money. While a few of them are incredibly sophisticated, the majority count on the victim’s disregard of telltale signs apparent to the naked eye. It is always a good idea to double-check wallet addresses when performing transactions and to scrutinize the spelling of trading-related domains you visit. Making sure that your antivirus software is up to date is another useful habit that could save you some bitter regrets over digital money lost forever.

Tags
Related Posts
Coinomi Wallet Addresses Vulnerability Concerns
Coinomi Wallet denied recent claims that its software sends wallet recovery seed phrases to Google’s remote spell checker servers in plain (unencrypted) text. The company refuted the claims in an official statement published on Feb. 27. In the statement, Coinomi claims that, unlike what was reported, the seed phrase transmission was encrypted via SSL (HTTPS), with Google being the only recipient capable of decrypting the message. Coinomi notes that the phrase was only transmitted if the user chose to restore his wallet and only on the desktop version. Finally, Coinomi states that the spell-check requests sent to Google were not …
Blockchain / Feb. 27, 2019
Six Tools Used by Hackers to Steal Cryptocurrency: How to Protect Wallets
In the early July, it was reported that Bleeping Computer detected suspicious activity targeted at defrauding 2.3 million Bitcoin wallets, which they found to be under threat of being hacked. The attackers used malware — known as “clipboard hijackers” — which operates in the clipboard and can potentially replace the copied wallet address with one of the attackers. The threat of hacking attacks of this type has been predicted by Kaspersky Lab as early as November of last year, and they did not take long to become reality. For the time being, this is one of the most widespread types …
Blockchain / July 29, 2018
Overview of Software Wallets, the Easy Way to Store Crypto
Similar to a bank account for fiat currency, a crypto wallet is a personal interface for a cryptocurrency network that provides reliable storage and enables transactions. Whether a cryptocurrency is securely stored or not, much depends on the wallet, which is only as secure as its private keys. Wallets are generally either hot or cold. The funds in a hot wallet can be spent at any time, online. A cold wallet functions in contrast: not intended for regular cryptocurrency transactions, but funds can be received at any time. Wallets can also be divided into three groups: software, hardware and paper. …
Blockchain / March 29, 2020
ESET Flags New Latin American Banking Trojan That Targets Crypto
Major Slovakia-based antivirus software provider ESET has discovered a banking trojan that can steal cryptocurrencies and is especially widespread in Latin America. Primary targets Known as “Casbaneiro” or “Metamorfo,” the newly found malware family targets banks and cryptocurrency services located in Brazil and Mexico, ESET’s editorial arm WeLiveSecurity reports Oct. 3. According to the report, Casbaneiro uses a social engineering execution method, which displays fake pop-up windows misleading potential victims to enter sensitive information. The capabilities of the malware are typical of Latin American banking trojans that can take screenshots and send them to command and control server, simulate keyboard …
Blockchain / Oct. 3, 2019
‘Unhackable’ Crypto Wallet Reportedly Breached, Hackers Claim to Meet Bounty Conditions
A group of researchers claims to have have hacked the Bitfi wallet, the Next Web reported August 12. Bitfi's executive chairman, cybersecurity pioneer John McAfee, has called it “the world’s first unhackable device.” To prove his claim, McAfee challenged security experts to breach the device for a $100,000 bounty starting July 24. Bitfi is a physical device, or hardware wallet, which supports “an unlimited amount of cryptocurrencies,” and revolves around a user-generated secret phrase instead of a conventional 24-word mnemonic seed that has to be written down. Additionally, Bitfi is purported to be “completely open-source,” meaning that the user stays …
Blockchain / Aug. 14, 2018