StatCounter Targeted in Cyberattack to Facilitate Bitcoin Theft from Cryptocurrency Exchange

On November 6, the information technology company ESET disclosed that on November 3, “attackers successfully breached StatCounter, a leading web analytics platform.”  ESET stated that many webmasters use StatCounter to gather statistics on their visitors: for example, StatCounter itself reported that it has more than 2 million member sites and computes statistics on more than 10 billion page views per month.

The main purpose of the StatCounter breach appears to have been to enable the attackers to divert Bitcoins from a highly popular cryptocurrency exchange, Gate.io.  In order to gather statistics on their sites’ visitors, according to ESET, webmasters “usually add an external JavaScript tag incorporating a piece of code from StatCounter  – http://www.statcounter[.]com/counter/counter.js – into each webpage.”  The attackers’ breach of StatCounter enabled them to inject JavaScript code into all websites that use StatCounter.  That code included a script, which targets a specific Uniform Resource Identifier (URI) that, at the time of the breach, appears to have been uniquely associated only with Gate.io, and was apparently designed specifically to steal bitcoins by diverting bitcoin transfers from Gate.io to a wallet that the attackers control.  As the script generates a new bitcoin address each time a visitor loads the malicious script, ESET stated, “it is hard to see how many bitcoins have been transferred to the attackers.”

Because several million dollars, including $1.6 million in just bitcoin transactions, transit Gate.io every day, ESET suggested that “it could be very profitable for attackers to steal cryptocurrency at a large scale on this platform.”  ESET indicated that it did not know how many bitcoins may have been stolen during this attack, but added, “it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange.”

In a November 7 postscript, ESET reported that on November 6, StatCounter had removed the malicious script and Gate.io had “stopped using StatCounter analytics services to prevent further infections,” meaning that both sites could be safely browsed.

Note:  This account (which The Register first reported) provides yet another indication that cryptocurrency exchanges can be as attractive to cyberattackers as websites for financial institutions and other businesses, and therefore need to take their own cybersecurity as seriously as they do their day-to-day business activities.  As ESET correctly noted, “even if your website is updated and well protected, it is still vulnerable to the weakest link, which in this case was an external resource. This is another reminder that external JavaScript code is under the control of a third party and can be modified at any time without notice.”  Information security teams interested in the details of the malicious code should consult the November 6 post on ESET’s blog, welivesecurityTM.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s