Regardless of your views on the virtual currency or value system, just like dollars — physical or electronic — the cryptographic currency can be used for honest and dishonest dealings alike. But by using bitcoins, people expose themselves to additional information security risks. For starters, that’s because the skyrocketing value of a bitcoin has driven criminals to hunt for, and exploit, any and every related weakness they can find.
Furthermore, when it comes to the infrastructure supporting bitcoins, weaknesses abound.
With that in mind, here are seven reasons why the increasing volume of bitcoin-targeting attacks won’t stop.
1. Cybercrime follows the money
Criminals aren’t just tapping bitcoins to disguise or launder illegal transactions. They’re also trying to steal bitcoins themselves, which by virtue of being a cryptographic currency are incredibly difficult to trace. Also, with the value of a bitcoin at times reaching $1,200, cybercriminals who pull off even a small heist may net a million-dollar payday. “How can they ignore so much value?” said Etay Maor, a cybercrime expert who works for IBM’s Trusteer, speaking by phone.
2. Bitcoin infrastructure: still in its infancy
When it comes to protecting bitcoin transactions, however, consider what happens when you go online with an FDIC-certified bank: For starters, most banks have deployed an array of defenses against online attackers, including anti-phishing software and adaptive authentication checks. Attackers can be further foiled by using one-time approval codes sent via SMS, or providing customers with a key fob that generates a secure authentication code, either of which can be required before money transfers or other high-risk activities are allowed to proceed. Finally, all of those processes are backed by fraud detection departments and systems that can automatically freeze accounts at the first sign of any suspicious activity.
Now, how many bitcoin exchanges or payment providers offer similar levels of information security? “They’re not like these banking websites that have been around for 10 years and have experienced multiple attacks. So they make a better target,” said Trusteer’s Maor.
He added as a disclaimer that he hasn’t personally reviewed the security of any bitcoin sites. “So I don’t want to say they’re not secure — because I haven’t checked out their security. But they’re less experienced,” he said. “And yet, they’re still handling millions if not billions in money.” Is it any surprise they’re being targeted by attackers trying to exploit any vulnerability they can find in those sites to make a quick and untraceable buck?
3. Banking malware adaptable to bitcoins
People who store bitcoins on their PCs have already been targeted by malware that scans for bitcoin files, then copies them for the attackers. Targeting bitcoin exchange users turns out to be a relatively simple exercise, at least for existing crimeware toolkit builders and by extension their customers.
Take the Gameover malware, which is a Zeus variant designed to target banks. “I don’t want to give the bad guys credit, but it’s one of the better versions of Zeus,” Maor said. One feature of the malware is that, on any system it’s infected, it waits for a user to connect to a designated banking website, then steals their login credentials and relays them to attackers.
About three weeks ago, however, a new version of Gameover debuted that also began watching for anyone who connected to Shanghai-based BTC China Exchange, which handles 40% of the world’s bitcoin transactions. BTC China does employ one-time codes to verify transactions. Accordingly, the malware will hide any attacker-made transactions — using HTML injection — and, in a social engineering attack, tell the user that they should input the one-time code they’re about to receive as a security check. If they do, the malware siphons off their holdings.
Technically speaking, adapting Gameover to steal bitcoins required only a minor upgrade. “It’s simply adding a new target to the long list of targets that it has,” Maor said. “Everyone knows banking applications and services are targeted, but they should know that these bitcoin services are a target too.”
4. Bitcoin exchanges are like banks — in the Wild West
As the Gameover variant suggests, anyone buying or selling bitcoins is signing up for a set of risks that go beyond the fluctuating value of their currency, starting with ones from the very organizations that they rely on to handle the currency. “It really is a modern-day bank on the frontier, the old Western bank,” said Carl Herberger, VP of security solutions at Radware, speaking by phone.
Unlike a modern-day Wells Fargo, bitcoin depositors must worry not only if their funds will be stored securely, but also if their banker is really a banker. For example, the China-based bitcoin exchange GBL, which launched in May, shut without warning in October, when whoever was running the site absconded with almost 1,000 of people’s bitcoins, which were worth about $4.1 million.
The same month as that scam, two separate attacks against Australia-based Inputs.io resulted in the theft of all 4,100 bitcoins — worth about $1.3 million — being held by the web wallet service, which had advertised itself as being a “free and secure bitcoin wallet for everyone.” Likewise, in November, hackers used a distributed denial-of-service (DDoS) attack to disguise a heist of 1,285 bitcoins — worth almost $1 million — from an e-wallet service offered by Denmark-based processing provider Bitcoin Internet Payment System (BIPS).
Needless to say, those e-wallet heists lead security experts to warn users against storing any bitcoins online.
5. Spammers can target bitcoins too
Criminals have also been targeting bitcoin users via spam attacks and bogus websites. For example, Kenny MacDermid, a security research analyst with Arbor Networks’ ASERT team, recently said he’d received three copies — in a single day — of spam from bitcoin-alarm.net. The site offers instructional videos, as well as a free, downloadable Windows executable called BitcoinAlarm.exe, which purports to tell users when the value of bitcoins fluctuates.
Is the application legitimate? In fact, MacDermid’s scans of the executable found that it will install a script on the system that first checks to see if antivirus applications are running, which is never a good sign. “A scan of the rest of the file contains other interesting methods like ‘disable_uac,’ ‘anti_hook,’ ‘persistence,’ ‘botkiller,’ ‘downloader,’ ‘disable_syste_restore,'”MacDermid said in a blog post.
Digging a bit deeper, another file dropped by the installer is a remote-access Trojan called NetWiredRC, which is used to steal login information, and “likely in this case being used to steal bitcoins,” MacDermid said. In case you had any doubts, the Trojan also connects to “bitcoins.dd-dns.de.” As of Thursday, 23 out of 49 virus engines flagged Bitcoin Alarm as malicious. But last week, it was only being flagged by Kaspersky Lab.