Correction: The original version of this story said there were attacks on 73,000 different websites. The correct number is 93,000. We regret the error.
Security researchers have uncovered a new type of malware targeting not just usernames and passwords, but also digital wallets – potentially stealing $220,000 worth of users’ Bitcoins, Litecoins, Feathercoins, and 27 other types of digital currency.
In mid-January, researchers at security solutions provider Trustwave Holdings Inc. began unravelling an attack campaign that used a new variant of a type of malware called Pony, which infected between 100,000 to 200,000 computers.
The attackers who launched the Pony campaigns managed to gain access to 700,000 user credentials and 85 digital wallets by levelling attacks on 93,000 different websites, some as prominent as Google and Twitter.
All in all, the attackers retrieved 600,000 website login credentials, 100,000 email account credentials, 16,000 FTP account credentials, 900 Secure Shell account credentials, and 800 Remote Desktop account credentials.
While Pony infects users’ computers in much the same way other kinds of malware do – through phishing schemes, exploiting vulnerabilities, spam, and so on – what’s novel about this variant of Pony is that it goes after both user credentials and digital wallets. That indicates cybercriminals are finding new ways to put their hacking skills to use, says Ziv Mador, director of research at Trustwave.
“It definitely shows that they realize that with their malware, they can gain more out of it. They are now after virtual currencies, because cybercriminals are primarily financially motivated. They want to make money,” he says. He adds that as digital wallets become more popular, criminals are going to increasingly target them as an easy source of ill-gotten income.
Plus, the danger for digital wallet holders is that once a digital currency transaction is complete, it’s irreversible – and nobody will reimburse them for the theft, Mador says.
In a blog post, Trustwave researchers Anat Davidi and Daniel Chechik compared the difficulties of stealing from a bank, versus stealing Bitcoins or other virtual currencies.
“Stealing money from bank accounts these days has become increasingly frustrating for cybercriminals. First, a cybercriminal must overcome multiple security controls, which takes time. Later, in order to maintain their distance from the crime and hide their identity, they need to hire someone else (referred to as a money mule) to transfer the stolen money to their account,” they wrote.
“Stealing BitCoins is much simpler than that. The criminal only needs to send the coins to an account on one of the trading websites, exchange the coins for USD or any other currency they desire and then transfer it to their bank account.”
In tracking down this variant of Pony, Trustwave researchers monitored several servers known for cybercriminal activity. They noticed some of the servers were mounting large scale attacks, and they got access to the server logs – many of which showed a huge number of passwords and digital wallet transactions, Mador says.
This isn’t the first time security researchers have spotted Pony in the wild. In June 2013, Trustwave employees published a blog post about seeing Pony in action, and in December 2013, they noted it was responsible for the theft of nearly two million usernames and passwords for sites including Facebook, Google, LinkedIn, and Yahoo.
While Mador wouldn’t reveal the identities of the attackers behind this particular campaign, saying Trustwave “was supporting legal enforcement,” he says the Pony attacks are completely unrelated to the attack on Mt. Gox, one of the biggest Bitcoin exchanges, earlier this week.
People who suspect they may have been a victim of password or digital wallet theft can go to Trustwave’s website here to check if their credentials have been stolen, or here to see if their wallets have been compromised.
For people storing Bitcoin and other alternative currencies, Mador says he has a simple piece of advice – encrypt your wallets.
“If [users] turn on encryption for digital wallets, even if it gets stolen, the cybercriminals wouldn’t be able to use it,” he says, adding most digital wallet clients come with an option to encrypt the contents.
“I don’t think there’s a good reason [not to]. Possibly people aren’t paying enough attention to this option. Also, client applications – it would be good if they made it a default setting. People probably aren’t aware enough of the option and the risk.”
He also recommends that people minimize their risks of getting their computers infected, simply by avoiding clicking suspicious links or opening strange attachments.
