This article is more than 1 year old
Hackers seed StatCounter with nasty JavaScript in elaborate Bitcoin cyber-heist caper
Gate.io exchange believed to be target of embedded attack
Updated One of the top traffic metrics websites on the internet is apparently being used by criminals to steal Bitcoins from a currency exchange.
Researchers at ESET have found that the JavaScript used by StatCounter's analytics platform has been modified by miscreants so that when embedded into the pages of Gate.io, a cryptocurrency exchange, it can siphon off alt-coins.
The ESET team today said that the crooks injected malicious code within statcounter.com/counter/counter.js, a piece of JavaScript that StatCounter's two million or so customers embed in their websites to measure their visitor traffic.
While millions of sites may have pulled in that modified code, however, it appears that just one site was the target. ESET's eggheads say the malicious code within the StatCounter script performs a single check for a specific path: myaccount/withdraw/BTC.
"It turns out that among the different cryptocurrency exchanges live at time of writing, only gate.io has a valid page with this URI," explained ESET malware researcher Matthieu Faou.
"Thus, this exchange seems to be the main target of this attack."
Should that path be accessed by a visitor, a second script on a separate domain is fetched and executed. That script tries to redirect any Bitcoin transactions to one of several wallet addresses controlled by the masterminds of this attack.
Because the thieves used multiple wallets to receive the hijacked funds, the researchers do not know precisely how much was stolen. They believe, however, that the loss could be significant.
Gate.io did not respond to a request for comment, and StatCounter also could not be reached. ESET says it has notified both companies of the caper.
"Even if we do not know how many Bitcoins have been stolen during this attack, it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange," said Faou.
"To achieve this they compromised an analytics service’s website, used by more than two million other websites, including several government-related websites, to steal Bitcoin from customers of just one cryptocurrency exchange website." ®
Updated to add
StatCounter says its web cache was poisoned to serve the booby-trapped JavaScript.
Biting the hand that feeds IT
