A New Kind of Heist: How Criminals Are Profiting From Cryptocurrency
Last year saw an increase in cryptomalware reports and breaches of crypto exchanges. And it’s clear from the past few months that 2018 is off to a similar start. In this post we take a look back and summarize what this year has in store for the security world in terms of cryptocurrency.
This is part two of our look back at some of the threat highlights of Q1 2018 (find part one here)
Cryptocurrency values have risen and fallen in spectacular fashion in frenetic and volatile trading markets. And while financial watchdogs are quickly tightening the regulatory grip on how cryptocurrency trading operates, some traders have already profited from volatility in the new financial currencies, while others have lost.
Another group profiting from the turbulent cryptocurrency market is criminals, who have moved swiftly into the new waters of opportunity. After all, where there is money there is crime.
In some cases the criminals have adopted new techniques to defraud holders of crypto assets. In other cases, it’s a question of adapting older, successful techniques to prise digital coins away from their owners. And we are also witnessing new ways of adapting botnets to mine digital currencies to earn rich rewards.
A new kind of bank job
In late 2017 criminals pulled off a new twist on the classic bank heist. Hackers made off with millions of dollars’ worth of Bitcoin in a raid on digital currency exchange NiceHash.
The hack was described as “highly professional” by a NiceHash spokesperson, who reported that around 4,700 Bitcoins (valued at the time at $70m) were stolen.
The root cause of the NiceHash attack was described as “sophisticated social engineering” by the company. The PC of an employee of the Slovenian company was compromised and hackers gained access to the company’s payment services.
As it is based on blockchain, Bitcoin and other currencies are designed with security in mind and are notoriously difficult to tamper with. But the computers and employees of exchanges are much more easily compromised.
Hackers found a similar route into South Korean cryptocurrency exchange Bithumb earlier in 2017. Again, the weak point was the home computer of an employee. While no currency was stolen, huge amounts of personal customer data was, which allowed criminals to socially engineer dozens of investors and scam them out of funds.
More recently, in January 2018, Japanese cryptocurrency Coincheck revealed it lost nearly $400m in a security breach. The company locked down accounts after 500 million NEM tokens (at this moment the #13 coin in terms of market value) were ‘illicitly’ exfiltrated. Hackers were able to steal the private key of a digital wallet where the coins were stored in a number of unauthorized transactions. Coincheck refunded 260,000 affected customers over $440m from its own coffers to compensate for the hack.
On a personal rather than organizational level, individual investors need to be aware that while cryptocurrencies are secure by design, this doesn’t mean less caution can be exercised. Good security hygiene should always be front of mind in finance matters.
Sometimes adapting the old techniques can prove the best vector to attack investors. Criminals can hack an email account and spoof an email from a currency exchange asking for users to reset passwords for wallets and accounts. Two-factor authentication and DMARC technology can help.
Alternatively, a hacker might pose as a company holding an ‘initial coin offering’ (ICO). Investors are invited to send Bitcoin — or other cryptocurrencies — via a carefully spoofed website and URL. Once the coins are transferred, they are quickly siphoned off to a new wallet belonging to the attacker.
A new kind of ‘botnet’
Another method being used by criminals to exploit digital currencies is cryptojacking.
Despite sounding like something out of a sci-fi novel, cryptojacking refers to the practise of surreptitiously exploiting small amounts of CPU (or GPU) cycles on users’ PCs and smartphones or company servers to mine digital currencies — the ‘back-breaking’ processing work that needs to occur to allow cryptocurrencies to operate.
While cryptojacking has been around for some time, the recent surge in the value of cryptocurrencies means mining coins has become an enticing prospect for criminals. Each infected device may only mine a tiny amount of value but collectively enough machines in a data-mining ‘botnet’ can deliver a profit to criminals.
The first way this kind of activity can occur is through malware. Cryptojacking malware is spread like other malicious code: via email, social media, website ads and apps. Once loaded onto a user’s device it operates in the background, using (theoretically) small amounts of computing power.
So what’s the problem? If the scripts are only using small amounts of ‘unused’ CPU power users then shouldn’t be affected despite the invasive nature of the malware.
The problem is that hijacking CPUs to perform processor-intensive calculations can have dire consequences for devices. For example, an Android cryptojacking strain called Loapi caused one smartphone to overheat with the strain of coin mining. The device’s battery burst through its case and nearly exploded.
Even in less dramatic cases, devices mining coins without their owners’ knowledge can overheat or have their fans kick in to overdrive. The result is that devices that are regularly subjected to cryptojacking may have their lifespans shortened.
And cryptojacking malware attacks aren’t limited to individuals. Earlier this month Microsoft warned that it has seen a surge in currency-mining malware infecting devices in enterprises around the world in the last six months. The company warned this might be the work of external threat actors or equally from insiders with access to systems.
Meanwhile, in February this year security firm Radiflow reported that a European water utility provider had been compromised. The attack represents the first public discovery of cryptocurrency mining malware in the systems of a critical national infrastructure organization. This incident also highlights the diversity of organizations in which these miners are deployed. Criminals are looking for power — so servers or networks where computers are generating a high volume of GPU/CPU are a big attraction.
Cryptojacking isn’t limited to malware. Increasingly data mining code can be loaded onto web pages with scripts that make use of visitors’ device CPUs to mine coins. While some parties argue that something similar to cryptojacking could one day legitimately replace digital advertising, the effect on machines is the same: drained resources, diminished performance, and potentially reduced device lifespan.
Again, it isn’t just individuals affected. Government organizations in both the UK and Australia discovered their websites had been compromised by hackers who managed to inject mining code into their sites via the assistive plug-in Browsealoud, which converts web pages into audio for visually impaired web users.
While cryptojacking may not carry the destructive payload of ransomware or other malware it still represents a device compromise. And it’s one that at best affects the performance and longevity of devices, and at worst provides an open doorway on an infected device for more virulent, destructive threats such as ransomware.
While the goal of the cybercriminals is new, the attack techniques employed often are not. While some recently-discovered threats make use of new techniques to steal money from cryptocurrency investors, many rely on older, tried and tested methods.
Ultimately, while cryptocurrencies themselves are secure the exchanges and systems that surround them are not. And neither are humans any less vulnerable to being conned or manipulated by adapted social engineering. One thing is certain: Activities in this area will not decrease anytime soon.
We hope you enjoyed this post. Follow us here on Medium for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.