Hackers crack StatCounter to steal Bitcoin exchange on Gate.io …

Hackers have breached StatCounter, one of a internet’s largest web analytics platforms, and have extrinsic antagonistic formula inside a company’s categorical site-tracking script.

According to Matthieu Faou, a ESET malware researcher who detected a hack, this antagonistic formula hijacks any Bitcoin sell done by a web interface of a Gate.io cryptocurrency exchange.

“We contacted [StatCounter] though they haven’t replied yet,” Faou told ZDNet now in an email. “The JavaScript record during www.statcounter[.]com/counter/counter.js is still compromised.”

Faou says a antagonistic formula was initial combined to this StatCounter book over a weekend, on Saturday, Nov 3. The formula is still live, as this screenshot taken before a article’s announcement can attest.


This JavaScript record is a executive square of StatCounter’s analytics service. Similar to a Google Analytics tracking code, companies bucket this book on their sites to lane visits and examination trade history.

According to a PublicWWW search, there are over 688,000 websites that now seem to bucket a company’s tracking script.

But according to Faou, nothing of these companies have anything to fear, during slightest for now. This is since a antagonistic formula extrinsic into StatCounter’s site-tracking book usually targets a users of one site –cryptocurrency sell Gate.io.

The ESET researcher says that a antagonistic formula looks during a page’s stream URL and won’t activate unless a page couple contains a “myaccount/withdraw/BTC” path.

Faou says that a usually website on that he identified this URL settlement was Gate.io, a vital cryptocurrency exchange, now ranked 39th on CoinMarketCap’s rankings.

The URL targeted by a antagonistic formula is partial of a user’s comment dashboard, and some-more privately it’s a URL for a page on that users make Bitcoin withdrawals and transfers.

Faou says a antagonistic code’s purpose is to personally reinstate any Bitcoin residence users enter on a page with one tranquil by a attacker.

“A opposite Bitcoin residence is used for any victim. We were not means to find a attackers’ categorical Bitcoin address. Thus, we were not means to focus on a blockchain sell and find associated attacks,” Faou told ZDNet, suggesting it’s still unfit to establish a volume of Bitcoin a organisation competence have stolen.

Both ESET and ZDNet have reached out to StatCounter to surprise it about a confidence breach, though a association has not responded to possibly of us.

We also reached out to Gate.io, though a exchange, too, has not responded. However, notwithstanding a radio silence, Gate.io admins have private a StatCounter book from their site.

“Gate.io doesn’t use StatCounter anymore,” Faou told ZDNet. “Thus, Gate.io business should be protected now.”

However, there are still questions in regards to a series of Gate.io users who competence have been influenced by this confidence incident, and a reparations they competence be entitled to, questions that Gate.io still needs to address.

The StatCounter occurrence is only a latest occurrence in a prolonged list of new supply-chain attacks around third-party JavaScript formula installed on legitimate sites. In a past year, miscreants have hacked several online services to broach in-browser cryptocurrency-mining scripts or card-skimming code to gullible users.

“This [incident] is another sign that outmost JavaScript formula is underneath a control of a third celebration and can be mutated during any time but notice,” Faou pronounced in a news of a StatCounter penetrate published on a ESET blog today. Indicators of concede for confidence researchers looking to puncture deeper in a StatCounter penetrate are accessible in Faou’s technical analysis.

Related coverage:

More tabs ...

Posted in
Tagged . Bookmark the permalink.
short link tablet123.com/?p=9019.