700,000 StatCounter Websites Were Hacked to Steal Cryptocurrency

pwstudio/123RF

Popular web analytics platform Statcounter experienced a breach on November 3, according to research from malware researcher Matthieu Faou. Up to 700,000 web pages were targeted in the hack which primarily aimed to steal cryptocurrency through a malicious script.

Per the report, through the script was loaded on many websites, there is nothing much to fear. The malicious Statcounter script behind the attack primarily targeted the cryptocurrency exchange Gate.io to generate Bitcoin addresses. Only if the URL or content in a given webpage contained references to “myaccount/withdraw/BTC” would the malicious script activate and then silently connect to the exchange to fill the hackers’ pockets with money.

“Attackers modified the script at www.statcounter[.]com/counter/counter.js by adding a piece of malicious code. … In the middle of the script. This is unusual, as attackers generally add malicious code at the beginning, or at the end, of a legitimate file. Code injected into the middle of an existing script is typically harder to detect via casual observation,” explains Faou.

The breach was pretty clever and is still live, as all websites running Statcounter need to add a specific code to a website in order to grab more information about users. Hackers clearly leveraged that to their advantage even though the Gate.io service used in the script now claims it doesn’t use Statcounter anymore.

It is still unknown how many end users were truly impacted by this attack, or how much money hackers made. Statcounter has yet to issue a public response, but Gate.io issued a lengthy statement on its website.

“On Nov. 6, 2018, we got the notice from ESET researcher’s report and the “ESET Internet Security” product that there’s a suspicious behavior in Statcounter’s traffic stats service. We immediately scanned it on Virustotal in 56 antivirus products. No one reported any suspicious behavior at that time. …  However, we still immediately removed the Statcounter’s service. After that, we didn’t find any other suspicious behaviors. We want to express our great appreciation and respect to the researcher from ESET Malware Researcher,” said Gate.io.

Cryptocurrency hacks are becoming more common as Bitcoin and Ethereum pick up value. The hack also raises concerns about the nature of external Javascript, since it can easily be modified. Similar cryptocurrency focused hacks have occurred in the past, particularly with Adobe Flash installers.

Leave a Reply

Your email address will not be published. Required fields are marked *