Statcounter is one of the oldest third-party user tracking services on the web, having existed since 1999. Beginning as a simple statistics and visitor counting service, Statcounter over time grew into what it is today: a full-fledged, enterprise-quality analytics service.
Gate.io, a more recent entrant in the bitcoin exchange space, used Statcounter to track user traffic until this week when a security researcher named Matthieu Faou discovered a breach in the Statcounter JavaScript file which was specifically targeted at Gate, capturing and hijacking bitcoin transactions made through the Gate interface.
Faou works for ESET, a security firm on the order of MalwareBytes or Norton, which provides consumer and enterprise security products and necessarily conducts research and penetration tests. He says the compromise was designed to replace bitcoin withdrawal addresses on the Gate.io platform with addresses belonging to the attacker.
Primary Script Was Compromised, But Only Gate.io Was Targeted
The attack was more sophisticated than some previous attacks of the same nature, such as malicious malvertising based attacks which installed themselves and did the same thing across websites, living in the browser rather than a piece of code on a single site. More sophisticated because the attackers generated a new address for each attack, making it extremely difficult to track the destination of the stolen funds.
It’s thus difficult to determine exactly how many users were affected. It’s also unknown how the breach went down in the first place via Statcounter.
The malicious code specifically targeted a relevant sector of the Gate.io code – namely, its withdrawal interface – and to Faou’s knowledge, the part of the script dedicated to stealing funds would not have worked on any other site because other sites are designed differently.
In response to the attack, Gate.io has removed the Statcounter script from their site.
Gate.io Says No Damages
According to a blog post by Gate.io, nothing actually happened as a result of the attack. This can only mean a couple things.
One, the script was poorly written and failed to actually do its job.
Two, ESET and Faou discovered the attack before anyone made a withdrawal on which the JavaScript would fire.
“On Nov. 6, 2018, we got the notice from ESET researcher’s report and the “ESET Internet Security” product that there’s a suspicious behavior in Statcounter’s traffic stats service. We immediately scanned it on Virustotal in 56 antivirus products. No one reported any suspicious behavior at that time [ …] However, we still immediately removed the Statcounter’s service. After that, we didn’t find any other suspicious behaviors. The users’ funds are safe. To have the maximum security, please make sure you have two-factor authentication (Google OTP or SMS) and two-step login protected.”
If it is indeed the case that no user transactions were compromised, then this was a narrow miss. All the same, the fact that the attackers went to the trouble of compromising a stalwart piece of web software in order to get at one single exchange demonstrates the need for constant awareness in cryptocurrency dealings. Do you trust the tools you’re using?
Featured Image from Shutterstock
Follow us on Telegram or subscribe to our newsletter here.