The skyrocketing value of bitcoin and Ethereum may not be the sole reason behind the recent uptick in cybercrimes focused on stealing cryptocurrencies, but industry analysts note that it certainly has given cybercriminals one more good reason to focus their efforts in this area.
In the last week Forcepoint reported the Trickbot banking trojan is now targeting cryptocurrencies, meanwhile the privacy advice and security comparison website Comparitech.com revealed a phishing scam aimed at scamming bitcoin from novice bitcoin users. In addition, a South Korean bitcoin exchange was hit, possibly by North Korean hackers.
Bitcoin is currently valued at about $4,500 while Ethereum is at $382, but so far this year the former’s value has increased more than 380 percent and the latter’s is up 4,000 percent making each a worthwhile target. The fact that these funds can be harvested digitally has always made them a target for attack, or mining, but the higher their value the more interest will be garnered.
“Malware has existed since at least 2011 that harvest’s bitcoin wallets. Crypto-currency is becoming more mainstream. Ransomware has certainly bought it to the fore and now the public are aware of it, thus more people use it, there is more money contained within those systems and cybercriminals follow the money. They see it as a good ROI for them,” Carl Leonard, principal security analyst at Forcepoint, told SC Media.
Paul Bischoff, privacy advocate for Comparitech.com, said the scam his company found also has been going on for years, but he believes the uptick in cryptocurrency value will spur more illegal activity.
“This particular scam has been in place since 2015, so I don’t think it had much to do with the rising valuations of Bitcoin and Ethereum. More broadly speaking, however, cryptocurrencies have never been more popular. That fact combined with their rising value does make them an increasingly lucrative target for cyber criminals. As long as those two trends continue, I don’t see any reason for thieves to back off,” he told SC Media.
Leonard agreed, adding that he believes cyber bank robbers will start adapting different types of malware to go after cryptocurrencies.
Part of that can be seen with what has taken place with Trickbot.
Trickbot, which is used against large financial institutions to steal conventional currency, has been updated by a user to include the cryptocurrency exchange coinbase.com as a target to go along with the 130 or so bank already on its list. Adding a new institution is not unusual, in June Paypal was added, but now the trojan has the ability to place non-traditional currencies at risk, said Forcepoint analyst Roland Dela Paz.
Despite the new capability, the attack scenario remains the same with the victim receiving an email purportedly from a major financial institution in which the person is told to download what turns out to be a malicious attachment containing Trickbot. Forcepoint has so far captured 8,600 emails from the UK, France and Canada using this scheme.
The scheme uncovered by Comparitech.com is much more complicated and specifically targets current bitcoin users, specifically those interested in what is termed bitcoin mixing. This is the practice of taking money from one bitcoin account and breaking it into hundreds of smaller transactions so that it can be transferred to another account anonymously. In this case the bad guys have hidden links within apparently legitimate article that pose as tutorials on how to conduct a bitcoin mixing transaction and includes links to two bitcoin mixing services, but these in fact lead to phishing sites that simply steal the person’s cryptocurrency.
What makes this operation so successful is the “articles” appear at the top of any Google search for bitcoin mixing so they are the most likely to be grabbed and used by a beginner cryptocurrency user.