- Cryptocurrency -

Last update 09.10.2017 13:51:50

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5 

CipherTrace Unveils Crypto-Currency Anti-Money Laundering Solution
5.7.2018 securityweek  Cryptocurrency

Cryptocurrency theft and its use to launder other illegal activity is booming. This has prompted the evolution of a related industry that sits on the borderline of legality (barely legal in some jurisdictions, illegal in others): cryptocurrency money laundering. The laundering of illegally-obtained money may be illegal, but the process used may not be.

CoinMixer is one such service that is advertised on Google Search. It says of its service, "Generally there is no link between the original transactions and the final address of the coins. This process protects your privacy and prevents other people tracing your payments on the internet." While this process can help with possibly legitimate privacy concerns, it is precisely what is required for money laundering.

Menlo Park, Calif. startup CipherTrace is a firm founded on the need for cryptocurrency anti-money laundering (AML), blockchain forensics and enforcement solutions. It aids law enforcement and financial regulators in their investigations, helps enterprises to deploy real-world cryptocurrency transactional systems within regulations, and offers a bitcoin scam and theft asset recovery service.

The CipherTrace Cryptocurrency Anti-Money Laundering Report for Q2, 2018 (PDF) shows the size of the problem; and highlights some of the regulatory discussions happening at international levels. Stolen cryptocurrency alone reached more than $750 million in the first half of 2018 -- which is already nearly three-times the amount stolen in 2017. The report also adds, "The FBI noted that the value of virtual currencies contained in the Internet Crime Center 2017 reports were $58.3M,4 citing cyber actor demands the of ransom payments, typically in virtual currency such as Bitcoin."

All this currency needs to be laundered before it can be safely accessed by the criminals. This is typically done through sites offering mixers, tumblers and chain hopping services. "The more dirty crypto money that goes into the systems and the more it moves around, the harder it becomes for investigators to see through the web of action and trace a path back to the source."

Governments and law enforcement agencies are not ignoring the use of cryptocurrencies to launder illegal gains. At the 5th Annual Europol Virtual Currency Conference, which was held at the Hague in the Netherlands, Jamal El-Hindi of the U.S. Financial Crimes Enforcement Network (FinCEN) reiterated FinCEN's position. "We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. AML laws."

The cryptocurrency theft problem that fosters the cryptocurrency laundering industry shows no sign of slowing down. It ranges from the theft of individual wallets, the use of various cryptocurrencies within ransomware extortion, and major thefts from large cryptocurrency exchanges.

"Cybercriminals follow easy money," comments High-Tech Bridge CEO Ilia Kolochenko, "and many cryptocurrency owners are the perfect victims. They are virtually unable to protect either themselves or their digital assets, being susceptible even to relatively simple phishing attacks. Law enforcement is frequently uninterested in investigating and prosecuting petty offences with digital coins theft, as they are already under water with highly-sophisticated nationwide hacks."

He points out that cryptocurrency startups are often ignorant of the fundamentals of cybersecurity, and devote all their efforts and resources to survival in an extremely volatile and highly-competitive market.

"We can almost certainly expect further proliferation of security incidents related to crypto currencies. Attackers have now established impressive infrastructure purposely tailored for large-scale theft and scams with digital coins. Owners of the crypto assets should remain extremely vigilant, maintain all their devices and installed software up-to-date, install at least a free antivirus from a reputable vendor, use two-factor authentication and unique passwords, and never entrust their wallets to any third-parties unless they have a very good reason to utterly trust them."

F-Secure security advisor Sean Sullivan has advocated for a form of 'Know Your Customer' regulation to be applied to cryptocurrency exchanges. "Bitcoin exchange accounts could be required to be tied to a physical address," Sullivan said. Currently it takes just minutes -- or seconds -- to open a Bitcoin account in a third-party market. This requirement would require an activation code that's mailed to you before an account can be opened. While this wouldn't affect criminals who do business out of Russia and China, it would make their attacks far less profitable; and would make the tracking of illegally acquired cryptocurrency by law enforcement considerably easier.

"The exchanges would hate it. But given the hundreds of millions of dollars being extorted every few months, it seems appropriate," Sullivan says. "Barring this or a similar step, exponential growth of malware families delivering these threats seems to be the only other option."

Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation
5.7.2018 securityaffairs Cryptocurrency

Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.
Security researchers at MalwareLabs have uncovered a new crypto mining campaign that leverages an alternative scheme to mine cryptocurrencies, differently from other campaigns, crooks don’t inject the CoinHive JavaScript miner directly in compromised websites.

CoinHive also provides an “URL shortener” service that allows users to create a short link for any URL with, the unique difference with similar services is that it introduces a delay so that it can mine Monero cryptocurrency for an interval of time before redirecting the user to the original URL.

The redirection time is adjustable via Coinhive’s settings, this means that the attackers can force visitors’ web browsers to mine cryptocurrency for a longer period.

The experts at Malwarebytes discovered a large number of legitimate websites have been hacked by crooks to load short URLs generated using the CoinHive service through a hidden HTML iFrame. With this trick, attackers aim at forcing visitors’ browsers into mining cryptocurrencies.

“We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co/3h2b2. We believe it is part of the same campaign that was exposed by the folks over at Sucuri at the end of May.” reads the analysis published by Malwarebytes.

"<i frame src="https://cnhv[.]co/3h2b2" width="1" height="1" align="left"></i frame>"
CoinHive JavaScript miner

“The cnhv[.]co domain name is used for what Coinhive calls shortlinks, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.”

This mining scheme is a novelty in the threat landscape because it doesn’t leverage on the injection of CoinHive’s JavaScript in the compromised websites.

Malwarebytes experts linked this last campaign to the one monitored by Sucuri researchers in May.

The attackers add an obfuscated javascript code into the compromised websites, this code is used to dynamically injects an invisible iframe (1×1 pixel) into the webpage as soon as it is loaded on the web browser.

The webpage then automatically starts mining until the Coinhive short-link service redirects the user to the original URL.

coinhive script 2.png

“In Figure 3 where we made the iframe visible by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page.” continues the analysis from Malwarebytes.
“Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.”
Experts also discovered that cybercriminals are injecting hyperlinks to other compromised websites to trick victims into downloading cryptocurrency miners for desktops that are disguised as legitimate software.

“In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online,” continues the researchers.

“In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners.”

Further technical details about the campaign, including the IoCs, are reported in the blog post.

A sample of CryptoCurrency Clipboard Hijackers monitors 2.3 Million Bitcoin addresses
2.7.2018 securityaffairs Cryptocurrency

A sample of CryptoCurrency Clipboard Hijackers discovered this week by BleepingComputer monitors for more than 2.3 million addresses.
Almost any people that have to send cryptocurrency coins use to copy the recipient wallet address into memory from one application and use it to make the transaction.

Crooks’ interest in cryptocurrency continues to grow and new malware was specifically designed to recognize wallet addresses in the memory of infected computers and use it for fraudulent activities, such as the hijacking of transactions.

This family of malware is called CryptoCurrency Clipboard Hijackers, the malware monitors the Windows clipboard for cryptocurrency addresses, and if one is detected, it then replaces the address in the clipboard with the attacker’s one.

With this simple trick when the user pastes the address he will send the coins to the attacker.

In March, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments. In June experts from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers, most of the victims are located in Asia, mainly China.
What is the peculiarity of a sample of cryptocurrency clipboard hijackers recently discovered by researchers at Bleeping Computer?

While most of the previous samples monitored for 400-600 thousand cryptocurrency addresses, the sample discovered this week by BleepingComputer monitors for more than 2.3 million cryptocurrency addresses.

CryptoCurrency Clipboard Hijackers

The following video shows how CryptoCurrency Clipboard Hijackers replace cryptocurrency addresses found within the Windows clipboard.

The only way to prevent such kind of attacks is double-checking the pasted address.

The infection was associated with the recent campaign that targeted Windows computers with so-called All-Radio 4.27 Portable malware package.

CryptoCurrency Clipboard Hijackers infection

“If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send out spam.” reads a post published by BleepingComputer.

Once the malicious code is installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called “DirectX 11” will be created to run the library everytime a user logs into the computer.

“This DLL will be executed using rundll32.exe with the “rundll32 C:\Users\[user-name]\AppData\Local\Temp\d3dx11_31.dll,includes_func_runnded” command.”

As usual, let me suggest using an up to date antivirus solution to detect and neutralize these threats.