How Cybercriminals Are Exploiting the Cryptocurrency Boom

Author: Dan Kaplan, online content manager, Trustwave
Author: Dan Kaplan, online content manager, Trustwave

If something involves big money, widespread adoption and insatiable curiosity -- a.k.a., if it's become fodder at the dinner table -- you can bet organized cybercriminals are never far off. Their latest darling, cryptocurrency, fits those specifications, and they are attempting to get their hands on as much of it as they can, any way they can, without reaching into their own pockets to pay for any.

Malicious hackers have long sought digital coins in their attacks because they are anonymous and often untraceable. But these currencies are currently riding a wave of mass public appeal, especially since Bitcoin soared in value by more than 1,300 percent in 2017 (the price has since receded from those highs), attracting enormous numbers of new investors. In response, cybercrooks have been fine-tuning their exploits and machinations to commit more crypto-related crimes.

What exactly are they doing? We ripped a few examples from the headlines, so your business can work to stay ahead of those trying to cash in on the crypto craze.

1. Malicious Cryptomining

Two primary ways exist to acquire digital currency: by buying it or by mining it. Cybercriminals, of course, prefer the latter option. Mining, however, is complex and requires computational power, which can be best be achieved by leveraging browser and machine CPUs to harvest cryptocurrencies, such as Bitcoin and Monero.

Cybercriminals can abuse mining with the help of advanced techniques and vulnerabilities that enable them to insert malicious, difficult-to-detect mining malware onto unwitting users' PCs, mobile devices and Internet of Things devices, or directly into compromised web pages. This racket, according to one study, is impacting roughly a quarter of businesses, amassing massive botnets and netting millions in profits for some organized crime groups, rivaling the success of ransomware.

Cryptomining can also be done under the guise of legitimacy, when website owners deploy mining software, such as Coinhive, as an alternative to advertisements (which users may already have blocked). However, rarely do websites request consent or offer the choice to opt-out of crypto-mining programs. (When cryptomining is done without this authorization, it is commonly known as "cryptojacking)."

While crypto-mining malware must be installed, scripts like Coinhive just need to be added to the website code. However, mining scripts have a notable drawback. They run only if the browser is open and stays on that affected website. As soon as the user closes the browser or navigates away from that site, the script will not run anymore. That's why these scripts work the best in sites where users usually spend a long time, such as pirate streaming sites.

To defend against malicious cryptomining, your business should follow the typical best practices - which we expound upon at the end of this post - for preventing, detecting and responding to threats. More specifically, you should consider ad blockers and browser extensions that specifically block crypto-mining scripts. The Trustwave Secure Web Gateway also contains detection logic to block miners.

2. Breaches

And then there is the holy grail for a malicious hacker: compromising the source that houses all of the money. Up until now, that meant going after the banks themselves, but in the age of crypto, it means attackers setting their sights on digital wallet providers,  crypto-mining marketplaces and cryptocurrency exchanges to steal breathtaking sums.

These operations make sense, especially the ones targeting the exchanges, which are online sites that allow you to trade between various cryptocurrencies or fiat money. Instead of going after individual users, cybercriminals are going after where users store their funds, allowing miscreants access to the whole shebang.

Experts have generally assigned blame for these incidents on vulnerable web servers and a general rush to make these platforms capable of trading coins quickly, before all security risks have been considered and resolved.

In addition, because of their popularity and reliance on uptime, these services have become a prolific target for DDoS attacks.

Users, meanwhile, must ensure they protect their own wallets. One type of malware making the rounds attempts to siphon cryptocurrency during transactions by using a novel method of theft. It arrives via a phony email related to a lost passport and attempts to install malware that alters and steals the content of a user's Windows Clipboard, in an attempt to trick victims into sending funds to the attacker's digital wallet. We'll discuss phishing threats in more detail below.

3. SEO Poisoning

The tactic of "poisoning" search results, also known as black-hat search engine (SEO) optimization, was particularly in vogue to start the decade, with some researchers hailing it as "the new spam." While companies like Google improved capabilities to index clean results and filter out the duplicitous, this cybercriminal method, which involves using SEO tactics to force malicious sites to appear as trustworthy links at or near the top of search results, is still a prominent way to trick well-intentioned web surfers into downloading malware - or in the recent case of users of a popular bitcoin wallet service, divulge their credentials by mistakenly clicking on a data-stealing website.

4. Phishing

Of course, attacks that capitalize on the notoriety of cryptocurrencies is another effective way to acquire the proverbial keys to the crypto castles or commit some other malevolent activity. These crypto-themed phishing schemes often work by jacking the name of a well-known and trusted company involved in the space to dupe users into taking some action. Just last week, a rumored hack against a major crypto exchange turned out to be a wide-scale phishing campaign against its users. And in another recent scenario, Bitcoin traders were targeted in sophisticated spear-phishing ploys.

5. Malvertisements

Malicious advertisements are another lucrative way to infect users' computers. Saboteurs typically spread malicious ads across the advertising ecosystem by professing to be a legitimate advertiser - and then later sneaking malicious code into the ads and past the security filters of the ad network without anyone noticing before they are published on reputable websites. Related to cryptocurrencies, security researchers have uncovered scams directing users via drive-by attacks to exploit kits that install crypto-miners. In another instance, "decoy," cryptocurrency-themed websites were used in a criminal campaign.

6. Mobile Applications

Cybercriminals are also invading the mobile world to capitalize on crypto mania. Their pernicious activities range from seeding apps with crypto-mining code to creating bogus wallet apps that live in the Google Play Store. Meanwhile, according to one study, most legitimate cryptocurrency applications contain vulnerabilities, which could allow thieves to intercept data or impact privacy.

How Should You Address These Threats?

As documented above, the crypto boom has genuine business implications, but the way you should address it is not much different than how you handle any threat. Here are a few suggestions:

Assess Your Risk: The foundation of your security, risk assessments help identify key IT security deficiencies that put your business at risk and translate your assessed IT risks into business saving decisions.

Test for and Patch Vulnerabilities: A combination of vulnerability scanning and deep-dive penetration testing - including of mobile devices - combined with diligent patching helps reveal and fix your company's flaws and alerts you to the consequences of exploitation.

Hunt for and Detect Threats: While protection-focused technologies such as anti-malware, email security and intrusion prevention are an important part of a defense-in-depth approach, industries are struggling to detect highly sophisticated and targeted threats, and when they do, it's often months or even years after a cybersecurity incident before they finally flag that something is wrong. You should leverage behavioral analytics and proprietary threat intelligence to proactively identify threats and unauthorized access, and isolate malicious behavior.

Build Security Awareness - or Better Yet, Security Culture: Training can never be 100 percent effective, but there is real value associated with preparing employees to recognize things like dodgy emails and the importance of choosing complex passwords. Want to take awareness to the next level? Instill security into the fabric of your organization, and it will become ingrained into everything you do.

Respond to Incidents: If your organization does fall victim to an attack, you must have an incident response team available (either in-house or via a partner) who can address the issue by determining the scope of what happened, containing and eradicating the infection, and helping to recover.

Dan Kaplan is manager of online content at Trustwave, and a former IT security reporter and editor. Read more Trustwave blogs here.