Cryptocurrency exchange Gate.io has removed StatCounter, one of the most popular web analytics tools, from its website following reports of a security breach, the company announced in a blog post on November 7, 2018.
A Supply Chain Attack on Cryptocurrency Exchange
Cryptocurrency hackers have reportedly attacked one of the internet’s most used traffic analytics services, StatCounter, to steal bitcoin from users of cryptocurrency exchange Gate.io.
According to a blog post on Gate.io, the company decided to stop using StatCounter for traffic stats after getting a notice about suspicious behavior in StatCounter’s traffic stats service.
Matthieu Faou, the ESET malware researcher who discovered the hack, said that this malicious code hijacks any Bitcoin transactions made through the web interface of the Gate.io cryptocurrency exchange. “We contacted [StatCounter] but they haven’t replied yet,” Faou told ZDNet in an email.
“The JavaScript file at www.statcounter[.]com/counter/counter.js is still compromised.”
Faou said the malicious code was first added to this StatCounter script on November 3, and that none of the companies that currently load the company’s tracking script have anything to fear. The malicious code inserted into StatCounter’s site-tracking script only targets the users of cryptocurrency exchange Gate.io.
Statcounter Web Analytics Script Set to Steal Bitcoins
According to a PublicWWW search, there are over 688,000 websites that currently appear to load the company’s tracking script. However, ESET’s research pointed out that the malicious code in question looks at the page’s current URL and won’t activate unless the page link contains the “myaccount/withdraw/BTC” path.
The URL targeted by the malicious code was quickly identified as belonging to the Gate.io exchange, which is currently ranked 39th in CoinMarketCap‘s rankings.
(Source: ESET)
The URL targeted by the malicious code is part of a user’s account dashboard and opens to a page on which users make Bitcoin withdrawals and transfers. Faou says the malicious code was built to replace any Bitcoin address users enter on the page with one controlled by the attacker.
“A different Bitcoin address is used for each victim. We were not able to find the attackers’ main Bitcoin address. Thus, we were not able to pivot on the blockchain transactions and find related attacks,” Faou told ZDNet, suggesting it’s still impossible to determine the amount of bitcoin the group might have stolen.
In the conclusion to his report, Faou said that the recent security breach again demonstrates the fact that external JavaScript code is under the control of a third party and can be modified at any time without notice. Both ESET and Gate.io have urged their users to ensure their two-factor authentication is activated and that they have enabled a two-step login for their Gate.io accounts.
