Malware leverages web injects to empty users’ cryptocurrency accounts

Criminals trying to get their hands on victims’ cryptocurrency stashes are trying out various approaches. The latest one includes equipping malware with Man-in-the-Browser capabilities so they can hijack online accounts and perform fraudulent transactions on the fly.

Injecting malicious scripts into target sites

Since the beginning of the year, SecurityScorecard researchers have observed two botnets – powered by the Zeus Panda and Ramnit malware families – that are after Coinbase.com accounts and Blockchain.info wallets.

The malware, among other things, is capable of detecting when the user visits those two websites and to silently inject an obfuscated script into them, which changes the content of the landing page.

When the target is Coinbase, the script makes it so that the Enter key for the email and password input fields won’t work, and creates a new button and superimposes it over the “Sign In” button. Thus, when the victims enter the login credentials and presses the latter, they believe they are logging in.

They are actually not. The malware will make it seem that there is a problem with the sign in process, and will ask the user to enter their second authentication factor:

cryptocurrency theft web injects

At the same time, the stolen information is used by the attacker to access the user’s account and modify security settings for future transactions.

“In most situations, attackers likely need to be actively involved and use the compromised data quickly,” researchers Catalin Valeriu and Doina Cosovan explained to Help Net Security.

“When WebInjects targets banking information for wire fraud, attackers also need to be actively engaged for the same reason – mostly the need to login before the time expiration on two factor codes. Older versions of Zeus would make use of Jabber instant messenger to notify botnet administrators of compromised credentials, and it is likely modern variants use similar tactics.”

Interestingly enough, after the security settings are changed, the attacker also makes sure the user can’t change the settings back by blocking the access to the settings page and showing an error message.

“Once the multi-factor authentication is disabled and the user can’t access the settings page anymore, the attacker can proceed to making transfers,” the researcher noted.

For the moment, though, the variants have not perfected the automation behind the transfer of stolen funds. Apparently, the crooks are currently satisfied with just compromising the account for future (mis)use. Still, the researchers believe it’s a matter of time until bugs are worked out and automation is achieved at some level.

A similar process is used to compromise Blockchain.info wallets. The victims are also faced with fake sign-in problems:

cryptocurrency theft web injects

Only in this case, as the victims waits for the problems to resolve themselves, the scripts quickly initiates a transfer page and populates it with the destination address, the currency type, and amount to be transferred.

Once again, users are asked for their second authentication factor. When they enter it and click on the “Confirm” button, the script extracts the value of the PIN password from the form, populates the PIN password field from the transfer form, and thus authorizes the transfer.

While this is happening and for a while after, the script shows the victim a note saying that the service is currently unavailable, so that they won’t realize that their wallet is being emptied.

What can you do to protect yourself?

“As cryptocurrency ecosystem and economy grows, the malware ecosystem and economy is also likely to grow along with it. While these variants were only targeting Coinbase.co and Blockchain.info, there are likely WebInjects variants that target other exchanges and services – both large and small,” the researchers pointed out.

“The WebInjects functionality is attractive to attackers because it allows them to quickly adapt the code to target new services and update code to maintain access to existing services.”

Users are advised to be on the lookout for things like disabled Enter key functionality, unaccessible Settings page, unexpected requests to authenticate using multi-factor authentication or “Service unavailable” alerts.

“If you suspect your account has been compromised, it is important to immediately change your password from a DIFFERENT computer, as it’s unlikely to also be compromised with the same malware,” Valeriu and Cosovan advise.

“The unfortunate part about advanced malware is the level of persistence that is obtained once a system is infected. Mitigating the infection can be time consuming – a complete re-imaging of the operating system and BIOS is recommended on the infected device.”

They also noted that, when this type of advanced bank fraud malware began targeting online banking users a few years ago it was generally advised that users use a “Live CD” for online banking.

“This advice is still solid, and applies to the world of cryptocurrencies as well,” they concluded.

Don't miss