Statcounter is one of the oldest third-party user tracking services on the web, having existed since 1999. Beginning as a simple statistics and visitor counting service, Statcounter over time grew into what it is today: a full-fledged, enterprise-quality analytics service.
Faou works for ESET, a security firm on the order of MalwareBytes or Norton, which provides consumer and enterprise security products and necessarily conducts research and penetration tests. He says the compromise was designed to replace bitcoin withdrawal addresses on the Gate.io platform with addresses belonging to the attacker.
The attack was more sophisticated than some previous attacks of the same nature, such as malicious malvertising based attacks which installed themselves and did the same thing across websites, living in the browser rather than a piece of code on a single site. More sophisticated because the attackers generated a new address for each attack, making it extremely difficult to track the destination of the stolen funds.
It’s thus difficult to determine exactly how many users were affected. It’s also unknown how the breach went down in the first place via Statcounter.
The malicious code specifically targeted a relevant sector of the Gate.io code – namely, its withdrawal interface – and to Faou’s knowledge, the part of the script dedicated to stealing funds would not have worked on any other site because other sites are designed differently.
In response to the attack, Gate.io has removed the Statcounter script from their site.
According to a blog post by Gate.io, nothing actually happened as a result of the attack. This can only mean a couple things.
One, the script was poorly written and failed to actually do its job.
“On Nov. 6, 2018, we got the notice from ESET researcher’s report and the “ESET Internet Security” product that there’s a suspicious behavior in Statcounter’s traffic stats service. We immediately scanned it on Virustotal in 56 antivirus products. No one reported any suspicious behavior at that time [ …] However, we still immediately removed the Statcounter’s service. After that, we didn’t find any other suspicious behaviors. The users’ funds are safe. To have the maximum security, please make sure you have two-factor authentication (Google OTP or SMS) and two-step login protected.”
If it is indeed the case that no user transactions were compromised, then this was a narrow miss. All the same, the fact that the attackers went to the trouble of compromising a stalwart piece of web software in order to get at one single exchange demonstrates the need for constant awareness in cryptocurrency dealings. Do you trust the tools you’re using?
Featured Image from Shutterstock
Last modified: May 20, 2020 2:27 PM UTC