The emergence of cryptocurrencies gained the attention of computer users and also continues to draw attention of cyber crooks to make money. Moreover the unsuspecting victims from ordinary users to organizations are not safe from this threat and are subject to being ripped off. X-Force, which is IBM’s Cyber Security threat and analysis unit, discovered that Trickbot as they called it, which is a dangerous Trojan malware that used to focus on banks and credit providers have shifted their efforts to stealing cryptocurrencies.
It has been dubbed Trickbot since it uses sophisticated tricks to steal sensitive account information from infected users and direct cryptocurrency purchases to their own bitcoin address totally different from the owners in ways which is almost undetectable.
For this to work, the Trojan malware needs to be installed first on the target computer before it can do its job stealing cryptocurrencies. This normally happens when a user opens a malicious website or opens a phishing scam email. In which case, this installs the Trojan malware and alters the computers browser function and in turn manipulate how content is sent information between the computer and the cryptocurrency website. In the computing world, it is called as man-in-the-browser (MitB) attack.
It is one of the most favorite mode of attack for banking and cryptocurrency Trojans since it can get past the encrypted communication and security measures implemented by online financial service providers.
As per X-Force, Trickbot would patiently wait on the computer browser until it visits one of the targeted cryptocurrency exchange before it activates itself. Their primary target are the investors who buy cryptocurrencies from exchanges such as Coinbase and Blockchain.
Upon entering their login credentials of the Bitcoin exchange, Trickbot sends a copy to the hacking group controlling Trickbot. “This is probably done to allow a future account takeover attack which will enable the fraudsters to perform a purchase/coin transfer from a machine they control, using the legitimate user’s wallet credentials and payment card details,” the report states.
According to X-Force, when users want to purchase bitcoins from targeted exchanges, they enter their requested amount and wallet address. They are then redirected to the payment gateway of their bank or credit provider, where they submit their billing information and complete the purchase. TrickBot intercepts the communication channel to change a single parameter: the destination address to which the bitcoins will be sent.
Once the user completes the purchase, the funds are redirected instead to the address of the owners of Trickbot. The owner does not have a clue that this happened, the owner will be notified about the purchase since they will be charged on their credit card and would think that their purchase was successful, however, if they will not see the new coins go in to their wallet. It will never reach the destination wallet of the owner but the funds will be delivered to the Trickbot operators bitcoin wallets.
This is not the first malware to swap bitcoin addresses for coin transfers. Last year, another bitcoin malware has been discovered which was dubbed CryptoShuffler.
However, a doubtful user could easily detect CryptoShuffler’s trick by using QR scanners or verifying the Bitcoin address with the original source before confirming payments. Such methods will not work with TrickBot because it performs everything under the hood while displaying the correct indicators to the user. IBM’s researchers were only able to detect the scam through packet-sniffing tools like Wireshark and reverse-engineering the malware’s code.
With the rising popularity of cryptocurrency, expect more Trojans and Malware campaigns to come target other cryptocurrency platforms e.g. Etherium, Monero, ZCash, Bitcoin Cash, Dash, Ripple and the like.
Make sure to protect yourself. Install browser and security updates. Update your antivirus and run regular scans. Enable two-factor authentication on your cryptocurrency accounts since it will prevent hackers from gaining access to your account in case they manage to steal your credentials.
