The past week has seen an increase in various attacks aimed at stealing cryptocoins. The old saying of going where the money is couldn’t be truer. Let’s look at what is happening.
Perhaps the most insidious is a social engineering attack that has been used in the past. A criminal repeatedly calls up a cellular provider and eventually finds one hapless customer support rep to change the victim’s cell number to their own. This is the start of a series of account takeovers, because typically many bitcoin and other digital wallets are tied to your cell number. “Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest,” the NY Times writes in this piece. Called cell hijackings, the Federal Trade Commission (who had their own CTO’s phone hacked in this way) has tracked more than 2,500 incidents as of January. One person had $150k stolen from their digital wallet. “Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said one bitcoin entrepreneur quoted in this article. The reason is bitcoin’s biggest calling card: transactions aren’t reversible, such as credit card scams.
But phone hijacking isn’t the only way cryptocoins can be stolen. Another method is to steal from potential investors in initial coin offerings. Attackers managed to compromise the Engima company’s website and substitute their own Ethereum address to collect half a million dollars in funds. Enigma planned its offering in September but the hackers set up a special earlier sale to lure its marks. The website defacement was done with a simple password compromise. Thankfully, most of these funds have been returned.
Neither of these methods is very sophisticated when it comes to technology, and shows that despite the best intentions, everyone has a weak spot and hackers will figure this out quickly.
Our third situation is a cryptocoin miner using the EternalBlue malware, the same tool that was used by WannaCry. It is being called Coin Miner and makes use of both WMI as well as SMBv1 to propagate around the network. Because it uses fileless techniques, it can be very hard to spot. This isn’t the first time that EternalBlue has been used with a crypto-mining focus: the Adylkuzz malware came out in April was used to mine Monero cryptocoins without the PC users being aware their machines were so occupied.
Speaking of unintended Monero mining, another exploit has been spotted by FireEye called Neptune Exploit Kit. After a machine has been infected, attempts are made to log in to minergate[.]com, a cryptocurrency GUI miner and mining pool, with the attacker’s email address. This malware was hidden in online sites that claim to be hiking clubs.
So what can we learn from these exploits? Clearly, blockchain and cryptocurrencies are still in early stages, and given the influx of capital to this sector, they have caught the attention of the bad guys who want to make a fast cryptobuck-equivalent. If you own any cryptocurrency, make sure your digital wallets are protected with high security and solid MFA passwords. If your company is experimenting with blockchain technology, make sure you have the appropriate VPNs, network segmentation, and other protective devices to keep a very limited access to the underlying infrastructure.