Hackers violate StatCounter to hijack Bitcoin transactions on the Gate.io exchange


Hackers violated StatCounter, one of the largest web analytics platforms on the Internet, and inserted malicious code into the company's main site tracking script.

According to Matthieu Faou, the ESET malware researcher who discovered the hack, this malicious code hijack any Bitcoin transaction carried out through the web interface of the Gate.io cryptocurrency exchange.

"We contacted [StatCounter] but they have not yet answered, "said Faou ZDNet today in an email "The JavaScript file on www.statcounter[.]com / counter / counter.js it is still compromised. "

Faou says the malicious code was added to this StatCounter script for the first time over the weekend, Saturday 3 November. The code is still active, as this screenshot was acquired before the publication of the article.


This JavaScript file is the centerpiece of the StatCounter analysis service. Similar to the Google Analytics tracking code, companies upload this script to their sites to track visits and review traffic history.

According to a PublicWWW research, there are over 688,000 websites that currently appear to load the company's monitoring script.

But according to Faou, none of these companies has anything to fear, at least for now. This is because the malicious code included in the StatCounter site tracking script is only intended for users of a site – an encrypted exchange exchange gate.

The ESET researcher claims that the malicious code looks at the current URL of the page and will not activate unless the link on the page contains the "myaccount / withdraw / BTC" pathway.

Faou states that the only website in which he identified this URL model was Gate.io, one of the main cryptocurrant exchanges, currently ranked 39th in the CoinMarketCap rankings.

The URL designated by the malicious code is part of a user's account dashboard and, more specifically, is the URL of the page where users make withdrawals and transfers of Bitcoins.

Faou says that the purpose of the malicious code is to secretly replace any Bitcoin address that users enter on the page with one controlled by the attacker.

"For each victim a different Bitcoin address is used: we were not able to find the main address of hacker Bitcoins, so we were not able to rotate on blockchain transactions and find related attacks," said Faou ZDNet, suggesting that it is still impossible to determine the amount of Bitcoin that the group may have stolen.

Both ESET and ZDNet contacted StatCounter to inform them of the security breach, but the company has not responded to any of us.

We also contacted Gate.io, but also the exchange did not respond. However, despite radio silence, Gate.io administrators have removed the StatCounter script from their site.

"Gate.io no longer uses StatCounter," said Faou ZDNet. "Therefore, Gate.io's customers should be safe now."

However, there are still questions about the number of Gate.io users who may have been affected by this security incident and the repairs they may be entitled to, questions that Gate.io still has to address.

The StatCounter incident is just the latest incident in a long list of recent supply chain attacks via third-party JavaScript code loaded on legitimate sites. In the last year, criminals have hacked several online services to provide in-browser cryptocurrency mining scripts or card-skimming code to unsuspecting users.

"This [incident] It is another reminder that external JavaScript is under the control of a third party and can be changed at any time without notice, "Faou said in a report from the StatCounter hack published today on the ESET blog. security trying to dig deeper into the hack StatCounter is available in Faou's technical analysis.

Related coverage:

[ad_2]Source link