Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques
Much of digital assets’ appeal stems from the fact that many of them are not affiliated with or controlled by governments, central banks or transnational corporations (at least, not yet). The price paid for the independence from institutions of global capitalism, though, might sometimes be extremely high, as, in the event of cryptocurrency theft, there is no one to appeal to for recourse. Further still, the irreversible nature of blockchain transactions renders it extremely difficult to get the money back once its gone.
The villains of the internet love cryptocurrencies for the same reasons. In the last few years, marked by the spike of popularity for digital money, hackers and scammers of all sorts have perfected the art of pilfering it from unwitting users, many of whom are newcomers to the space.
Roughly a year ago, Cointelegraph had already compiled a lengthy overview of many popular crypto-stealing tricks and tips on how to avoid falling prey to them. While the list remains relevant as ever, the time has come to revisit the subject to see if there are new threats to your crypto assets to beware of.
Aggregate dynamics
A recent report by cryptocurrency intelligence firm CipherTrace estimated losses from digital currency theft and scams in the first quarter of 2019 at $356 million, with additional fraud or misappropriated fund losses amounting to $851 million in the same period. Alarmingly, this Q1 total of $1.2 billion constituted 70% of the total losses to crypto crime in all of 2018, indicating intensified hacking activity in the first months of 2019.
At the same time, a study conducted by a security company Positive Technologies registers a change in the structure of attacks. The share of cryptojacking — or, hidden cryptocurrency mining — in the overall volume of cyberattacks seems to be declining: Having reached a peak in early 2018, this type of criminal activity dropped to just 7% in the first quarter of 2019. The analysts noted, however, that the observed trend merely reflects the way malware previously used primarily for cryptojacking has become smarter and more versatile. If the virus recognizes that the machine it took over lacks processing power, it may divert to other modes of operation, such as clipboard jacking.
Researchers at Positive Technologies predicted an increase in the overall number of attacks in the second quarter of the year. Their report pointed out malware and social engineering as attackers’ most widely used tactics and recorded the increasing prominence of ransomware attacks. These findings are further corroborated by ransomware recovery company Coveware, whose analysis revealed a 89% increase in an average ransom from the fourth quarter of 2018 to the first quarter of 2019.
Related: Round-Up of Crypto Exchange Hacks So Far in 2019 — How Can They Be Stopped?
Although perpetrators of ransomware attacks demand payments in cryptocurrency, nearly always, this type of criminal activity is not specific to the crypto sphere, targeting companies from a wide range of industries. This type of intrusion entails infecting the victim’s device with a piece of code that denies the owner access to their system or data, and demanding payment to regain access. Since these attacks usually prey on fairly large corporate entities, we will skip over to those that seek to part individual crypto investors with their digital funds.
Malware or social engineering?
One intuitive way to classify attacks that target users’ digital assets could be to juxtapose those that seek to find weak spots in software (say, secretly infecting victim’s computer with an ingenious virus) and those aimed at exploiting errors in human judgement (fooling a person into handing over their wallet’s private key).
Yet, in fact, these two modes exist on a spectrum rather than on a binary scale. The most successful thefts entail some degree of participation on behalf of the victim — such as opening a phishing email, using public Wi-Fi to check a crypto wallet or willingly installing a shady app — and a piece of malicious code, whether it is a Trojan or a scam bot on Slack.
Breaking the variety of threats down according to the attack vector is perhaps a more meaningful strategy. It is also far from optimal, though, as many known viruses these days can alter their behavior according to circumstances, and are capable of both installing hidden miners and simply stealing keys as needed. The following topology is therefore highly contingent.
Clipboard hijacking
Because no one wants to manually type in long strings of random alphanumeric characters that are also case-sensitive, we all use the copy/paste function to indicate the addresses we send our coins to. Clipboard hijackers (aka clippers) are pieces of malware that detect an event of clipboard use to store a crypto wallet address then trigger a script that replaces the correct address with that of an attacker. As a result, often without the victim realizing what happened, the digital currency flows straight to the thief’s pocket. Using the same technique, clippers are capable of stealing passwords and keys as well.
Related: Crypto Crime Trends Evolving as Users Wise Up: Exchange Hacks, Darknet and Money Laundering
Perhaps the most sinister specimen of clipper malware uncovered so far in 2019 is the one that made it on the Google Play Store disguised as the mobile version of MetaMask, a popular client used to access decentralized applications (DApps) from a web browser — except, there is no MetaMask version for mobile. Although it was taken down soon after discovery, the very fact that the app managed to make it past Google Store’s defenses is impressive and it reminds us that even the authenticity of software found in major stores should not be taken for granted.
Cryptojacking
Cryptojacking, also known as hidden mining, is the covert exploitation of other users’ devices to mine cryptocurrency. Usually, a targeted computer gets infected by a Trojan that installs a miner. Victims do not get stripped of their crypto assets directly, yet the losses they sustain may be quite unpleasant, from footing enormous electricity bills to having an overloaded computer break down.
The number of detected attacks of this type exhibits a curious pattern of strong correlation with crypto prices. As the aforementioned reports suggested, the overall share of cryptojacking attacks appears to be declining this year — however, the ingenuity of their perpetrators is only growing. Some hidden mining operations may reach extraordinary scale, too: As Cointelegraph recently reported, a campaign using cryptojacking malware to mine the privacy-focused cryptocurrency turtlecoin (TRTL) was found to have infected more than 50,000 servers worldwide.
Just a few days ago, two browser extensions that secretly sponged their users’ central processing units (CPUs) to mine privacy-focused cryptocurrency monero were discovered on the official Google Chrome store. Previously, such malware was found to be hiding in legitimate Adobe Flash updates and convincingly posing as Windows installation packages.
Researchers from cybersecurity firm Trend Micro have uncovered a fascinating tactic employed by cryptocurrency hackers to smuggle monero miners onto Oracle enterprise servers. In order to obfuscate the malicious code, the program hides it in certificate files. This way, they go unnoticed by antivirus software that automatically treats certificate files as reliable.
Website clones
Having originated in the remote corners of the darknet, where online stores selling illicit substances have long been “cloned” by scammers seeking to trick drug users into transferring bitcoin to their accounts, the technique is well and alive as of June 2019. The latest example is the case of the crypto trading website Cryptohopper, whose malicious copy facilitated in the infection of the computers of unwitting crypto traders who visited it. The victims had both mining and clipboard hijacking Trojans installed, resulting in an aggregate loss of almost $260,000.
Cryptocurrency trading platforms and exchanges appear to be the area of crypto sphere most vulnerable to hacking attacks, as they present shortcuts to swaths of centrally stored digital assets. Sky Guo, CEO and co-founder of Cypherium, told Cointelegraph that this has to change in order for the industry to be able to cope with rising security threats:
“Security threats happen on the level of the software, the infrastructure. But our industry needs to realize that there are dangers attached to presenting something as ‘decentralized’ in order to cash in on the security advances of blockchain tech. Projects like Facebook’s Libra and some other major projects already leading in our industry still have central points of failure by virtue of their highly permissioned network structures, and they need to be more transparent about the security implications of such systems.”
Related: What Is Libra? Breaking Down Facebook’s New Digital Currency
Social engineering as a separate trend
The term “social engineering” refers to a broad scope of malicious activities whereby wrongdoers use human interactions to accomplish their goals. These attacks usually rely on less sophisticated technical solutions, seeking to exploit the victims’ lack of attention, literacy or understanding of the context in order to obtain sensitive information or extort digital assets. As more people without much technical sophistication flock into the crypto space, simple schemes that didn’t stand a chance with old-school crypto buffs might suddenly become efficient.
Matthew Finestone, the director of business development at Loopring, an open-source protocol for building decentralized exchanges, observed to Cointelegraph:
“I really see attacks drawing on human inattention becoming more prevalent. It's dangerous because newcomers to the space aren't aware of these threats, and they often fail to realize that there is no recourse after cryptocurrency is sent, unlike traditional financial systems that can bail you out in worst case scenarios. Being careful, and learning from resources such as your article are a good starting point.”
Finestone also recalled his recent experiences with two rather simplistic social engineering schemes: one that came with an aggressive threat to release some harmful or embarrassing information if a crypto ransom was not sent to them shortly and another pretending to come from a friend or colleague asking for some coins. He concluded that both, like the majority of social engineering schemes, could be easily combated with vigilance and a healthy dose of common sense.
In fact, these universal principles apply to any type of potential attack aimed at your digital money. While a few of them are incredibly sophisticated, the majority count on the victim’s disregard of telltale signs apparent to the naked eye. It is always a good idea to double-check wallet addresses when performing transactions and to scrutinize the spelling of trading-related domains you visit. Making sure that your antivirus software is up to date is another useful habit that could save you some bitter regrets over digital money lost forever.