Hackers breach StatCounter to hijack Bitcoin transactions on Gate.io exchange

Hackers have breached StatCounter, one of many web’s largest net analytics platforms, and have inserted malicious code inside the corporate’s foremost site-tracking script.

In accordance to Matthieu Faou, the ESET malware researcher who found the hack, this malicious code hijacks any Bitcoin transactions made via the online interface of the Gate.io cryptocurrency exchange.

“We contacted [StatCounter] however they have not replied but,” Faou informed ZDNet right this moment in an e mail. “The JavaScript file at www.statcounter[.]com/counter/counter.js continues to be compromised.”

Faou says the malicious code was first added to this StatCounter script over the weekend, on Saturday, November three. The code continues to be stay, as this screenshot taken earlier than the article’s publication can attest.

This JavaScript file is the central piece of StatCounter’s analytics service. Related to the Google Analytics monitoring code, firms load this script on their websites to observe visits and overview visitors historical past.

In accordance to a PublicWWW search, there are over 688,000 web sites that at present seem to load the corporate’s monitoring script.

However in accordance to Faou, none of those firms have something to concern, no less than for now. It is because the malicious code inserted into StatCounter’s site-tracking script solely targets the customers of 1 web site –cryptocurrency exchange Gate.io.

The ESET researcher says that the malicious code appears on the web page’s present URL and will not activate until the web page hyperlink accommodates the “myaccount/withdraw/BTC” path.

Faou says that the one web site on which he recognized this URL sample was Gate.io, a significant cryptocurrency exchange, at present ranked 39th on CoinMarketCap’s rankings.

The URL focused by the malicious code is a part of a person’s account dashboard, and extra particularly it is the URL for the web page on which customers make Bitcoin withdrawals and transfers.

Faou says the malicious code’s goal is to secretly exchange any Bitcoin handle customers enter on the web page with one managed by the attacker.

“A special Bitcoin handle is used for every sufferer. We weren’t ready to discover the attackers’ foremost Bitcoin handle. Thus, we weren’t ready to pivot on the blockchain transactions and discover associated assaults,” Faou informed ZDNet, suggesting it is nonetheless not possible to decide the quantity of Bitcoin the group may need stolen.

Each ESET and ZDNet have reached out to StatCounter to inform it in regards to the safety breach, however the firm has not responded to both of us.

We additionally reached out to Gate.io, however the exchange, too, has not responded. Nonetheless, regardless of the radio silence, Gate.io admins have eliminated the StatCounter script from their web site.

“Gate.io does not use StatCounter anymore,” Faou informed ZDNet. “Thus, Gate.io clients ought to be secure now.”

Nonetheless, there are nonetheless questions with reference to the variety of Gate.io customers who may need been affected by this safety incident, and the reparations they could be entitled to, questions which Gate.io nonetheless wants to handle.

The StatCounter incident is simply the most recent incident in an extended record of latest supply-chain assaults through third-party JavaScript code loaded on official websites. Up to now 12 months, miscreants have hacked a number of on-line companies to ship in-browser cryptocurrency-mining scripts or card-skimming code to unsuspecting customers.

“This [incident] is one other reminder that exterior JavaScript code is underneath the management of a 3rd get together and will be modified at any time with out discover,” Faou stated in a report of the StatCounter hack revealed on the ESET weblog right this moment. Indicators of compromise for safety researchers wanting to dig deeper within the StatCounter hack can be found in Faou’s technical evaluation.

Associated protection:

About Tom Greenly

Check Also

Comment on Indian Central Bankers Excludes Cryptocurrency Projects from it’s New Startup Fintech Sandbox by Alwal Raaju

About Richard Kastelein Founder and writer of trade publication Blockchain Information (EST 2015), a accomplice …

Attempts to Deplatform @Bitcoin Account Reveal Private Message With Twitter CEO

Numerous cryptocurrency supporters have been getting riled up recently over the @Bitcoin account on Twitter. …