Cryptocurrency hackers attacked one of the most frequently used Web traffic analysis services StatCounter to steal Bitcoins from users of Gate.io, an online exchange.
A deliberate attack resulted in more than 688,000 websites discovered to be loading the malicious script.
StatCounter is very similar to Google Analytics. It allows analyzing Internet traffic on the websites. To get this stat, a webmaster needs to add the StatCounter code to their site. This design aspect appears to be widely used by hackers to embed and distribute their malicious code.
The attack redirected traders’ crypto transactions while Gate.io users were trying to withdraw or transfer their BTC. The code simply replaced any entered on the page BTC address with a hacker’s one.
The exploit was first discovered by the researchers of ESET, a Slovakian firm specializing in cybersecurity. They described it as a “supply-chain attack.” The attack affected almost a million websites, but the threat seems to have been localized to one specific URL domain: Gate.io, a cryptocurrency exchange with a turnover of more than $1.7 mln per day, experts from ESET noted.
The code used by hackers wouldn’t be malicious unless the link contained a specific line: “myaccount/withdraw/BTC.” According to security professionals, Gate.io is the only website using a URL having this string
Who was hurt?
A security hole appeared a few days ago, but it is still difficult to say exactly how many people were affected by this attack, as well as how much money hackers stole.
ESET notes that the script automatically generates a new Bitcoin address each time it is launched. This effectively neutralizes the ability to link BTC transactions together in a meaningful way, which frustratingly protects the attackers’ identity.
According to the Gate.io exchange, it intends to remove StatCounter from its website as soon as possible. The exchange also urged its users to enable 2FA and two-step login protection.
Canadian university under attack
According to the administration, during the attack, no personal information was compromised. However, it caused quite a few problems on the campus.
Among others, the statement points out that the network shutdown made it impossible to use Wi-Fi and provide debit card transactions. The university says it is still recovering from the attack but expects its services to be restored and launched soon.
The attack epidemy
There were numerous crypto attacks on institutions over the past few months. Back in February, British researchers discovered tons of infected government websites mining Monero. More recently, it turned out that many hackers had also secretly seized Indian government websites for crypto mining.
According to research made by RWTH Aachen University, Monero crypto-jackers earn about $250,000 each month.