One of the largest cryptocurrency exchange, gate.io, was targeted by a third-party, aka supply-chain attack. The attackers inserted a malicious code to a Web Analytics tool, called StatCounter, to steal bitcoins from gate.io.

A sophisticated attack with one goal; BTC theft

As the latest ESET research reveals thedetails on the attack, we see that it is a sophisticated attack and directly targets gate.io, while it could have targeted many other companies used the same StatCounter Web Analytic tool.

The 7-line malicious code injected in StatCounter’s javascript first checks a specific URL used in gate.io, and if it matches, it creates a new script element incorporating a php file at www[.]statconuter[.]com. All the details show that hackers designed their attacks such that they seize the information that user goes to gate.io and the web analytic tool will direct them www[.]statconuter[.]com, which is designed to steal BTC. Attacks on cryptocurrency markets has become attractive to hackers, a situation which raises the question: Is Your Money Safer in Cryptocurrency Exchange Markets than Banks?

btc theft

Image adopted  from ESET research.

The attackers use a phishing domain that has a letter swap (statcounter -> statconuter) to trick people who examine the code. This is not the first time we see that a phishing domain used in an attack that injects malicious code to a Javascript. In the recent British Airways and Newegg attacks as a part of a cardskimmer campaign called Magecart, we saw the same pattern.

We also check the possible phishing domains with our Free Phishing Domain Search service and we found 42 possible phishing domains for StatCounter.

StatCounter

As expected, the one used in this attack, namely statconuter[.]com, is on our list. Even with a basic proactive approach by checking possible phishing domains of StatCounter, this attack may have been avoided.

StatCounter Normshield

Javascripts in supply chains increase cyber risk

Supply chains consist of third-party vendors and software used in a company’s system. Usually, companies overlook the cyber risk posed by javascripts used in their websites, such as web analytic tools. Recently, TicketMaster was hacked through a web application javascript of Inbenta in a similar way, an attack which caused of potential breach of 40,000 UK citizens’ personally identifiable information (PII). Not too long after this attack, British Airways and Newegg have become victim of same attacker group. While the former attack potentially jeopardized financial and personal information of 380,000 customers, the latter exposed massive number of online shoppers’ payment information.

A javascript created by Shopper Approved used to get customer ratings also got hacked last month. The javascript is used by certain numbers of e-commerce sites, and their customers’ may have been exposed due to this attack.

Third-party javascripts are part of software supply chain and they increase the cyber risk of a company as much as other software used in the supply chain. While mitigating the cyber risk due to software supply chain, 3rd-party javascripts should also taken into consideration.

How to avoid 3rd-party Javascript attacks

  • Limit use of external javascripts by avoiding use of javascripts that you do not require.
  • Most of the attacks come from widely-used “freewares”. Determine if you really need that javascript. If not, do not allow to use it. This rule also applies to other software, web browser extensions, and plugins.
  • Use subresource integrity, a security feature which enables browsers to verify that resources they fetch are delivered without unexpected manipulation.
  • Monitor your cyber risk for third-party attacks. The victim of software supply-chain attack might be one of your third-party vendor and attack may spread to you.
  • Use IDS/IPS systems to detect anomalies in your system.
  • Patch management is also crucial to avoid such attacks.