This week’s bombshell that a hack might have cost Bitcoin exchange Mt. Gox all of its money might just be the tip of the iceberg for cryptocurrency-related cybercrime. A new report from Dell Secureworks has revealed that cybercriminals have developed 146 different types of bitcoin malware.
Mass theft of cryptocurrencies is usually due to well-publicised breaches at exchanges and marketplaces. However, another category of Bitcoin theft targets individual users’ wallets or exchange accounts, such as general purpose remote access Trojans (RATs) or specialised cryptocurrency-stealing malware (CCSM).
These malware strains have increased dramatically over the past two years. There are currently 146 known versions, up from 45 a year ago, and 13 in 2012. Bitcoin really caught cybercriminals’ attention after its value topped US$1,000 late last year.
The most common type of CCSM targets digital wallets. The malware searches computers for wallet software key storage files. Once it locates a wallet, the malware uploads it to a remote FTP, HTTP or SMTP server where a criminal can break in and transfer Bitcoins to his or her own wallet.
Cryptocurrency security guides recommend protecting wallets with strong passphrases, preventing criminals from decrypting and using the private keys if the wallet is stolen. However, many wallet-stealer families use a keylogger or clipboard monitor to obtain passphrases.
Many wallet-stealer CCSMs also steal credentials for web-based wallets. Cybercriminals are aware that many individuals keep a fair share of Bitcoin in exchanges to trade on price movements and this malware exploits that. Dell noted that in most cases, it is impossible to know what type of malware was used because a full forensic analysis of the victim’s hard drive is rarely done.
Many exchanges have implemented two-factor authentication, using one-time PINs (OTPs) to combat unauthorised logins. However, more advanced version of malware can “easily” bypass this by intercepting the OTP as it is used and creating a second hidden browser window to log the criminal into the account from the victim’s computer. At the same time, the victim received a fake “authentication failed” message and is blocked from accessing the website while their account is looted.
Dell noted that it has not observed an attack on a cryptocurrency exchange that can bypass 2FA – yet. Since it is a technique that has had success against online banking sites for several years, “it is only a matter of time before CCSM uses this approach.”
Man in the Middle
At least one family of CCSM acts as a “man in the middle,” altering the recipient address of a transaction before it is signed. This malware monitors the contents of the clipboard, checking for a valid Bitcoin address. If it finds one, it replaces it with the malware operator’s Bitcoin address. Victims then unknowingly send Bitcoins to the criminal.
Cryptocurrency software includes remote procedure call (RPC) functionality, which allows another programme to interact with the wallet software. Cybercriminals with access to this functionality could potentially connect to a client on a local Transmission Control Protocol (TCP) port and steal the balance of an unencrypted wallet using only two commands (three if the wallet is encrypted and the passphrase has been intercepted).
To date, Dell has not observed any CCSM malware exploiting this technique. However, it would be difficult to detect this type of theft, as it would look like any authorised transaction. Additionally, this technique requires no external command and control (C2) or exfiltration server that can be shut down or blocked.
Detection and Protection
Dell found that detection of CCSMs is less than 50% successful, on average. Given that 2FA and antivirus software are largely ineffective against this malware, Dell advises using an alternative wallet like Armory or Electrum.
Alternative wallets can protect against malware theft by using a split arrangement for key storage. This involves using one computer, disconnected from any network, running a copy of the software and holding the private key that can sign transactions. A second computer connected to the internet holds only a master public key of which addresses belong to the online wallet. The online computer can generate transactions, but it cannot sign them because it does not have the private key. To transfer Bitcoins, a user generates an unsigned transaction on the online computer, carries the transaction to the offline computer and signs the transaction, and then carries it back to the online computer to broadcast the transaction to the Bitcoin network.
The two-computer method is relatively secure, but the logistics can be complicated. Dell noted that it would be more convenient to use a dedicated hardware device to store the private keys and verify transactions without the possibility of theft. These devices are currently under development and due for delivery in the first quarter of this year.
Treasurers are being expected to do more work with fewer resources than ever before, so it is little wonder that the automation of day-to-day operations was highly discussed on the second day of EuroFinance, the annual treasury event held in Barcelona this week.
Chicago based Treasury Management System (TMS) vendor GTreasury and Sydney based risk and treasury management vendor Visual Risk have joined forces in a strategic alliance to ... read more
While corporates have more choice when it comes to choosing financial services, the core relationship between banks and businesses hasn't changed, argues Michael Cummins, head of treasury solutions at Citizens Bank.
Plans to overhaul trade finance infrastructure by the R3 consortium, brexit confidence by UK mid-sized businesses and global financial assets hitting a record high all hit the latest headlines in the world of treasury this week.