A new report from Kaspersky Lab has found developers continue to target users with malware geared toward illicitly generating or stealing bitcoin, though rates have fallen over the past year.
The Logicoins Resort Project
A new report from Kaspersky Lab has found developers continue to target users with malware geared toward illicitly generating or stealing bitcoin, though rates have fallen over the past year.
A cryptocurrency malware developer has settled with the US Federal Trade Commission (FTC) and the New Jersey Attorney General’s Office.
Developer Ryan Ramminger and Equiliv Investments were named in the settlement in connection with the development and distribution of a mobile app called Prized that contained hidden mining software.
Prized was initially marketed as a consumer rewards app. After security researchers discovered the app was designed to mine cryptocurrency in March, it was soon dropped from popular app venues like Google Play.
According to the FTC, the malware contained in the Prized app was used to mine a variety of digital currencies, including litecoin, dogecoin and quarkcoin.
The defendants, Ryan Ramminger and Equiliv Investments, are now required to pay $5,200 of a $50,000 settlement, with the remaining amount suspended per the agreement with federal and state law enforcement officials. Neither Ramminger or Equiliv confirmed or denied the charges.
Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement:
“Hijacking consumers’ mobile devices with malware to mine virtual currency isn’t just deplorable; it’s also illegal. These scammers are now prohibited from trying such a scheme again.”
The defendants are barred from knowingly distributing malware in the future, and face decades of reporting requirements.
Mining malware focused on mobile devices have appeared in various forms, many of which are distributed inocuously as mobile apps or downloadable game files. In some cases, users aren’t aware that their systems are being actively used to mine, with evidence appearing only in the event of poor battery life or an unusually high data usage rate.
The full court settlement can be found below:
Peer-to-peer bitcoin marketplace LocalBitcoins suffered a hack this week that resulted in the distribution of malware and a loss of customer funds.
Affected users will be granted refunds after taking steps to address security vulnerabilities, according to the company.
LocalBitcoins vice president Nikolaus Kangas acknowledged the hack on 27th January in a forum post, outlining how the intrusion took place through its LiveChat account, with an estimated 17 BTC lost from customer wallets.
The bitcoin marketplace has experienced security-related problems before, including an incident last year when a hacker gained access to its servers for a brief period of time, though according to LocalBitcoins no customer data was lost. Customers have also reported running afoul of fraudulent users in the past.
Kangas told CoinDesk that he believed the hackers used an unknown kind of malware that was able to bypass existing security measures, and took personal responsibility for the LiveChat intrusion.
“The attacker used that LiveChat access to spread some kind of Windows executable, which probably was some new kind of keylogger software which is not yet detected by virus protection mechanisms. If the user got that executable installed, with some social engineering, the attacker managed to get access to different accounts of those victims.”
Customer postings on LocalBitcoins suggest that at least one user reportedly lost funds through other bitcoin-related accounts, but that user later reported that discussions with the company were underway on a possible solution.
According to the company, three users were identified as having lost funds during the hack. Reports indicate that a lack of two-factor authentication may have been to blame for the fraudulent withdrawals, and LocalBitcoins advised customers to ensure that they are using such security measures to protect their accounts.
Kangas said that thanks to the combined efforts of LocalBitcoins employees and users of the site, information about the LiveChat compromise was disseminated relatively quickly, noting:
“Due to fast actions by the Localbitcoins support staff and Localbitcoins.com community, the impact of the attack remained limited. The amount of users affected was fairly low due to general awareness of the users.”
Kangas added that the company is looking at how they can improve their internal security protocols to avoid similar incidents in the future, and suggested that the incident was illustrative of the costs and challenges of participating in a digital economy.
“This is not only a challenge to bitcoin users, but to all Internet services and users in general, about how to make those attacks equally expensive for those attackers,” he said.
Security firms McAfee Labs and Symantec have issued warnings that a type of bitcoin-demanding ransomware, CTB-Locker, is now being propagated through spam campaigns.
The malware, the name of which stands for ‘Curve Tor Bitcoin Locker’, was first identified last year. However, the spam distribution approach appears to be a relatively new development.
McAfee published its latest advisory last week, describing CTB-Locker as a form of ransomware that encrypts files on the target computer. Anecdotal evidence suggests .jpg image files are a frequent target. The victim then has to pay a ransom to have the files decrypted.
The pop-up allows the user to see the list of encrypted files, along with information on how to make a payment and get the decryption code.
McAfee detects CTB-Locker under three different names: BackDoor-FCKQ, Downloader-FAMV and Injector-FMZ. Symantec identifies the final payload as Trojan.Cryptolocker.E.
The malware is being propagated via spam campaigns, as a .zip archive stored within another .zip file. The zipped file contains the downloader for CTB-Locker.
So far, researchers have uncovered the following names used to store the downloader:
Aside from standard sound security practices (eg: not opening .zip files from untrusted sources), McAfee has published a number of recommendations to mitigate the threat using McAfee products.
The Symantec blog also offers useful information on CTB-Locker for users of Symantec security products.
Should victims be unwilling or unable to pay the ransom, there is virtually no way of recovering the encrypted files. The best way of reducing the impact of a potential crypto ransomware attack is to backup valuable files on a regular basis.
98.55% of victims targeted by TorrentLocker do not pay the virus’ bitcoin ransom, according to a new report.
TorrentLocker (aka Win32 or Filecoder.DI) is a strain of bitcoin ransomware that works by encrypting users’ files. Victims are requested to pay up to 4 BTC to decrypt their documents, though this figure can vary.
“In other words 1.44% of all infected users we have identified have paid the ransom to the cybercriminals,” Léveillé writes, adding: “There are also 20 pages showing that bitcoins were sent but access to the decryption software wasn’t given because the full amount wasn’t paid.”
Spam campaigns designed to distribute TorrentLocker malware were targeted at specific countries, including Austria, France, Germany, Italy and the UK, the report found.
Turkey and Australia were particularly hard hit by the malware campaign.
According to data from C&C servers, more than 284 million documents have been encrypted by the ransomware so far.
While very few victims chose to pay the ransom, the distributors of TorrentLocker, who are also suspected of being behind the Hesperbot banking trojan, have made a substantial amount of money – between $292,700 and $585,401.
The report notes that ESET identified the first traces of TorrentLocker in February 2014. However, its developers reacted to online reports and changed the way the malware uses AES encryption after a method of decrypting the key was found.
In June 2014, international authorities managed to cripple the CryptoLocker onslaught by disabling GOZeuS, the P2P network used to control the network. By the time this blow was struck, CryptoLocker was blamed for causing $27m in damages.
Although TorrentLocker has had limited reach compared to CryptoLocker, in late November the virus was infecting computers at a rate of 691.5 per day. The average TorrentLocker ransom stands at 1.334 BTC with a rebate, or 2.668 BTC afterwards. The exact figure collected by the attackers remains unclear.
Léveillé’s report explains why further analysis is difficult:
“It is hard to say who paid the full amount as opposed to the rebated (half price) amount. Because of this, we decided to use a range to quantify the profit made by the criminals. The total amount of bitcoins ranges between 760.38 BTC and 1,520.76 BTC. With the value of the bitcoin on November 29th 2014 (1 BTC valued at $384.94), it means that they swindled victims out of an amount between $292,700 and $585,401.”
While questions remain about how to stop the operators behind botnets like TorrentLocker, Léveillé suggests one way to remedy infections in the meantime: an offline backup.
A county sheriff’s office in Tennessee paid a $500 ransom in bitcoin after it became the victim of a cyberattack this week.
Cryptowall is a Trojan horse program that, once inside a computer, encrypts its contents and triggers demands for a payment in bitcoin. The firm’s estimates suggest that after being discovered earlier this year, as many as 1,000 computers have been infected.
Detective and sheriff’s office IT director Jeff McCliss told WTVF-TV that a data cache containing sensitive documents, photographs and criminal reports was impacted. Overall, more than 70,000 files were temporarily inaccessible due to the malware infection.
“Every sort of document that you could develop in an investigation was in that folder. There was a total of 72,000 files,” he said.
Subsequent investigation involving the Tennessee Bureau of Investigation, Federal Bureau of Investigation (FBI) and the US military reportedly produced no solutions. Ultimately, the sheriff’s office was forced to pay the ransom in order to regain access to the files.
According to investigators, issues started last month when an employee at the sheriff’s office inadvertently downloaded the malware by clicking on an online ad. McCliss told the Nashville-based news program that the office was not actively targeted.
After consulting both state and federal-level investigators – with some help from the military – McCliss concluded that the best course of action would be to pay the ransom. Otherwise, he told WTVF-TV, the sherrif’s office risked losing valuable ground on a number of cases, as well as access to needed information.
“Is it better to take a stand and lose all that information? Or make the payment grit your teeth and just do it? It made me sick to have to do that.”
McCliss said that he still has many questions surrounding the malware infection, and that as a result, the choice to pay the ransom wasn’t the easiest decision he has had to make.
“It’s a very bad feeling,” he said.
Cryptowall has gained notoriety in recent months for its strong encryption method and global reach.
Earlier this week, Hawaii-based news source KHON 2 reported that the CryptoLocker derivative had infected some computers located in Honolulu. At the time, local law enforcement officials urged both residents and business owners to both back up their files and maintain robust anti-malware measures.
According to the study, advertisements on websites like Yahoo! and AOL, as well as a number of other online publications were used as unwitting delivery vehicles for Cryptowall. The practice, known as “malvertising”, has contributed to the success of the malware and led to the Tennessee malware infection.
The offices of Italian municipal councils have had their computer files encrypted by a ‘ransomware’ virus that is demanding payment in bitcoin.
According to Corriere della Sera, one of the country’s top newspaper, dozens of regional office workers are unable to pay bills, issue certificates or access server documents until they pay the digital ransom.
The attackers’ fee is currently set at €400 worth of bitcoin, though this amount is said to double after three days.
After launching from a location in St Petersburg, Russia last Wednesday, the virus spread rapidly through the council’s computer network through phishing emails. While some machines have been updated with antivirus software to block it successfully, many are still at risk.
Once the malware gains access to a victim’s machine it sends what appears to be an ordinary .pdf file named with a long string of characters to all contacts in their email address book.
On closer examination the file is actually a malicious .exe program. When opened by an unsuspecting co-worker, this program encrypts all .pdf files, photos and Microsoft Office documents on their machine and server, rendering them useless.
After this block is activated, a ‘hoax antivirus’ invites users to purchase decoding software, providing the step-by-step instructions necessary to complete the procedure.
The hackers behind the attack have even included ‘customer support’ contact details for those unfamiliar with how to use bitcoin.
“After we paid they also had the audacity to invite us to contact them in case we have other problems,” Maria Grazia Mazzolari, a town clerk in Bussoleno, Turin, told the Corriere della Sera.
So far, the stunt appears to be lucrative. Di.Fo.B, an Italian consultancy dealing with cyber crime, says the bitcoin addresses listed by the attackers have received around $100,000 from victims in the last 6 days alone.
In addition, Di.Fo.B expects this figure to rise as public offices still unaware of the virus are targeted.
Although ransomware has been around in various forms since the 1990s, there has been a rise in the number of viruses demanding payment in bitcoin.
In November last year – one month before bitcoin’s all-time high – the UK’s National Cyber Crime Unit issued an alert about Cryptolocker, an aggressive breed of ransomware contained in zip files carried by email.
The virus targeted small- to medium-sized businesses, and the crime agency said many millions of email accounts were at risk.
After witnessing an influx of UK buyers wishing to secure enough bitcoin to pay the Cryptolocker ransom, trading site BitBargain made a bold decision to block all new users for fear of being involved in money laundering activity.
Although many Cryptolocker victims reported that their files were not returned after payment, an activity the National Cyber Crime Unit does not endorse, some council workers have reported success after paying the attackers’ fee.
This article was co-authored by Alex Canciani
Security firm Karpersky Lab has found that bitcoin is the target in more than one fifth of all malware attacks aimed at victims’ money.
According to Kaspersky’s latest threat report, entitled ‘IT Threat Evolution Q2 2014’, bitcoin mining malware accounted for 14% of attacks in the second quarter of 2014, while bitcoin wallet stealers accounted for 8%.
Keyloggers, which can be used to compromise both bitcoin and banking services, also made the list, with 4% of all attacks attributed to various forms of key logging malware.
Traditional banking malware still leads the way with 74%, but considering the size of the bitcoin economy it is clear that bitcoin users and operators face a significant likelihood of being subjected to an attack.
“Fraudsters are also happy to use computing resources to generate crypto currency: bitcoin miners account for 14% of all financial attacks,” the report warns. “Criminals also use keyloggers to collect user credentials for online banking and payment systems in another bid to access bank accounts.”
In the 2013 report, bitcoin wallet stealers accounted for 20.18% of all financial malware attacks, while mining malware accounted for 8.91%, giving a combined total of 29%.
In the meantime, the number of threats has gone down, but the threat landscape has evolved – as wallet stealers fell out of favour, mining malware took their place as the predominant form of bitcoin-related malware.
Several security firms have issued reports mentioning bitcoin malware in recent months, with the number of attacks rising sharply since early 2013 in parallel with bitcoin’s massive peak in popularity.
Malware makers have been experimenting with various forms of bitcoin malware, ranging from programs designed to create elaborate mining botnets, to ransomware like CryptoLocker that uses bitcoin as a form of payment.
Even without law enforcement and security specialists dedicated to combating financial malware, bitcoin mining malware is facing an uphill struggle as it is essentially an obsolete concept, thanks to basic maths and economics, rather than a concerted effort to combat the spread of mining malware.
McAfee’s latest report found that bitcoin mining botnets are going mainstream due to the widespread availability of mining malware online, but it also said that they are obsolete and practically futile.
The simple fact is, bitcoin’s difficulty level is simply too high to effectively mine bitcoin on non-specialised hardware. So, although mining malware is abundant and cheap to procure, it is being increasingly redundant with each new bitcoin difficulty cycle.
Furthermore, enabling cryptocurrency mining functionality on a botnet can easily alarm the users of infected systems, drastically increasing botnet attrition in the process. In other words, rather than making money, botnet operators who decide to use mining malware run the risk of having their operations discovered and losing potential profits through attrition.
Security firm McAfee has issued its latest quarterly threat report, focusing on a wide range of emerging technology security risks, including mobile malware disseminated by Flappy Bird clones and dangerous rootkits.
McAfee reports seeing numerous botnets with various levels of mining functionality, but goes on to say that, even if the cost of power and hardware is taken out of the equation, mining major cryptocurrencies on infected PCs simply isn’t a worthwhile pursuit and is already effectively obsolete:
“The difficulty level of common mining algorithms and the nonspecialized hardware that the malware infects make this a futile effort.”
A further concern for these bad actors is that mining is so hardware intensive that it is relatively easy to spot by the owners of the infected PCs and results in high botnet attrition. Coindesk examined this aspect of the issue after reports of a botnet designed specifically to target powerful gaming PCs emerged last month.
To get around the problem, malware developers have more recently integrated ‘throttling’ functionality, which keeps the CPU/GPU cool and effectively puts such attacks into stealth mode.
However, throttling comes with the disadvantage that it reduces the overall performance of the botnet, as well as the host PCs.
None of this has stopped malware developers, of course, and now, rather than operate the botnets themselves, they are selling or leasing their botnets and services to poorly informed cyber criminals.
“In essence, botnet sellers are selling snake oil when they say that buyers can profitably mine virtual currencies,” says McAfee.
The report states that mining malware is abundant and relatively cheap to hire, with prices for some services starting at just $10 a month.
“Spend some time digging around any underground security forum or marketplace and you will find a myriad of SHA-256 and scrypt miner botnets, builders, and cracked versions of commercial builders and kits, along with the usual assortment of DDoS bots, cryptors, and other nefarious services and tools […] These are just a tiny fraction of what exists,” McAfee says.
McAfee crunched some numbers and concluded that botnet operators don’t stand to earn much, especially if they are trying to mine bitcoin. Even botnets engaged in mining scrypt altcoins suffer from similar problems.
McAfee spells out the likely returns for operators thus:
“In a hypothetical example of a 10,000-device botnet, profit without mining is US$11,000.00 while profit with mining is US$11,007.61—just a US$7.61 gain. This assumes an unrealistic attrition rate of 0.25%. A realistic attrition rate of 30% would result in a loss of US$3,265 in potential profit.”
The company explained that illicit mining via botnets has moved into the mainstream, due to the fact that mining is now bundled in many toolkits and builders across multiple platforms used by malware developers. Whether or not developers choose to enable mining functionality is up to them.
“However, there is a great deal of doubt around the profitability of this practice given the resource requirements of the mining algorithms. Nonetheless, the nefarious malware sellers seem to have plenty of motivation to squeeze every possible ounce of profit out of their efforts,” McAfee concluded.
One can safely assume that botnet operators are more technology savvy than the average person, but judging by the tone of McAfee’s report, it seems many of them could still use a lesson or two in cryptocurrency mining and economics.