- Is that Rosa Parks in random Twitter user’s baby photo? Tuesday 8:24 PM
- Syracuse students say white supremacist manifesto was AirDropped to them Tuesday 7:44 PM
- Florida woman gets prison time for throwing slushie at Matt Gaetz Tuesday 6:28 PM
- Marie Kondo’s online store slammed for selling clutter-worthy products Tuesday 5:34 PM
- People are rallying against toxic masculinity on International Men’s Day Tuesday 4:42 PM
- Reddit wants to stop its pro-Trump forum from outing the alleged whistleblower Tuesday 3:38 PM
- White woman calls cops on man who said he was visiting aunt with his kids Tuesday 3:12 PM
- ‘The Stranded’ is a flawed yet addictive blend of ‘Degrassi’ and ‘Lost’ Tuesday 2:45 PM
- The ‘gonna tell my kids’ meme is revisionist history at its most absurd Tuesday 2:24 PM
- Redditor asks former burglars to give home security tips Tuesday 2:18 PM
- Facebook-Breitbart partnership under fire in wake of new Stephen Miller emails Tuesday 2:00 PM
- John Krasinski under fire after praising the CIA Tuesday 1:46 PM
- Conservatives melt down after Chick-fil-A says it will stop donating to anti-LGBTQ orgs Tuesday 1:33 PM
- ‘Honey Boy’ is an experimental look at channeling trauma Tuesday 1:28 PM
- Disney+ now allows users to resume and restart content Tuesday 11:42 AM
The rise in value and popularity of cryptocurrencies continues to draw the attention of cybercriminals old and new who want to make a quick buck off unsuspecting users and organizations. In its latest findings, X-Force, IBM’s cybersecurity and threat analysis unit, found that TrickBot, a dangerous Trojan malware that was previously focused on banks and credit providers, has now found a new target: cryptocurrency exchanges.
In its study of the malware’s code, the X-Force researchers discovered that TrickBot is using sophisticated tricks (hence the name) to steal sensitive account information from infected users and direct cryptocurrency purchases to the Bitcoin addresses of its owners in ways that are hard to detect.
How does it work?
TrickBot needs to be installed on a target computer before it can steal cryptocurrencies. This can happen if a user visits a malicious website or falls victim to a phishing scam. Once installed, the malware alters the functionality of the infected computer’s browser to intercept and manipulate the content sent to and received from cryptocurrency exchange websites, a technique known as a man-in-the-browser (MitB) attack.
MitB is a favored attack of banking Trojans and is especially dangerous because it can get past the encrypted communications and security measures that most online financial services use.
According to the X-Force report, TrickBot sits in the infected computer’s browser and waits for the user to attempt to visit one of the targeted cryptocurrency exchanges before activating. The targets are amateur and professional investors who buy cryptocurrency from exchanges such as the American-based site called Coinbase and the Luxembourg-based Blockchain.
As victims enter their credentials into the website of the Bitcoin exchange, TrickBot sends a copy of the information to the servers of the hacking group controlling it. “This is probably done to allow a future account takeover attack which will enable the fraudsters to perform a purchase/coin transfer from a machine they control, using the legitimate user’s wallet credentials and payment card details,” the report states.
The real “trick” that TrickBot performs is stealing bitcoins.
When users want to purchase bitcoins from targeted exchanges, they enter their requested amount and wallet address. They are then redirected to the payment gateway of their bank or credit provider, where they submit their billing information and complete the purchase.
According to X-Force’s findings, TrickBot intercepts the communication channel to change a single parameter: the destination address to which the bitcoins will be sent.
When the user completes the purchase, the funds are redirected to the address of TrickBot’s owners instead of the purchaser. “The victim will be charged by credit card and believe the deal was successful, expecting to see the new coins in their wallet. The Bitcoin will never reach the designated wallet but will instead be delivered to one of TrickBot’s operators’ wallets,” the report states.
What can you do to protect yourself?
TrickBot isn’t the first malware to swap Bitcoin addresses. CryptoShuffler, another Bitcoin-stealing malware discovered last year, altered Bitcoin addresses that were copied to the infected computer’s clipboard. When the user pasted the copied address into their wallet applications, the payment would be sent to the address of the malware’s owner.
However, a wary user could easily detect CryptoShuffler’s trick by using QR scanners or verifying the Bitcoin address with the original source before confirming payments. Such methods will not work with TrickBot because it performs everything under the hood while displaying the correct indicators to the user. IBM’s researchers were only able to detect the scam through packet-sniffing tools like Wireshark and reverse-engineering the malware’s code.
“As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see a many more campaigns targeting the various platforms and service providers in the cryptocurrency sector,” X-Force’s report says.
Users’ best defense against TrickBot is to stick to the basic principles of cybersecurity, which include the following:
- Install browser and software security updates as soon as possible
- Install an antivirus and keep it up to date at all times
- Enable two-factor authentication on your cryptocurrency accounts. This will prevent hackers from gaining access to your account in case they manage to steal your credentials.
You can also read Daily Dot’s guidelines on protecting your bitcoins against theft and malware.
Ben Dickson is a software engineer and founder of TechTalks. His work has been published by TechCrunch, VentureBeat, the Next Web, PC Magazine, Huffington Post, and Motherboard, among others.