On November 3rd, hackers successfully sandwiched crypto-stealing code into the middle of a popular web traffic-measuring plugin from StatCounter, which is now used on more than two million websites, including government sites, WeLiveSecurity reports.
Because the infected software creates a new bitcoin address for every site it infects, the cybersecurity researchers at WeLiveSecurity have been so far unable to determine exactly how many Bitcoins may have been stolen.
They have determined, however, that the rather wide swath of infections may have been designed to eventually infect cryptocurrency trading sites, and that the scheme did, in fact, infect popular crypto-trading site Gate.io.
According to WeLiveSecurity, Gate.io handles $1.6 million dollars of Bitcoin trades per day, and is a very popular site, especially in China, where it boasts an Alexa ranking of 8,308. Globally the site ranks 26,251.
WeLiveSecurity says the malicious code is usually tagged onto regular code at the beginning or end. By situating the code in the middle of StatCounter’s downloadable javascript web traffic analysis tool, hackers made it harder to detect.
StatCounter’s tool uses a Dean Edwards packer, “a unique compression algorithm…” that removes gaps and spaces in code and presumably makes it tighter and harder to modify.
But WeLiveSecurity says that, in this case, the packer in the StatCounter code was “trivially unpacked,” and injected with Bitcoin-seeking code activated whenever an affected user at Gate.io hit the “submit” button on a trade or transaction.
According to WeLiveSecurity:
“The webpage https://www.gate[.]io/myaccount/withdraw/BTC, shown below, is used to transfer Bitcoin from a gate.io account to an external Bitcoin address.”
As well, “…second stage payload, from statconuter[.]com/c.php, is designed to steal Bitcoins. Thus, it makes sense to inject the script into the gate.io bitcoin transfer webpage.”
The researchers conclude their article by reminding webmasters that using third-party software is a generally a security wildcard:
“It also shows that even if your website is updated and well protected, it is still vulnerable to the weakest link, which in this case was an external resource. This is another reminder that external JavaScript code is under the control of a third party and can be modified at any time without notice.”