Whatever you say, but crime is one of the engines of progress, if not the main, it is certainly not the last. Customers of crypto currency exchange Gate.io was very lucky that the plan of the criminals managed to solve quickly.
Statcounter — ‘m harmless service, quite popular among the webmasters that analyze the statistics of visits to their sites and user behavior. Used its paid version and the staff of the crypto currency exchange Gate.io, at least until recently — today the exchange has declared that refuses services of the service.
As they say in the message exchange, November 6, the report of the anti-virus vendor ESET have identified suspicious activity related to Statcounter. “We immediately scanned it using Virustotal, using the 56 anti-virus products. No complaints, but we decided to cease cooperation with Statcounter… customer Funds are safe”, — said Gate.io.
Meanwhile, the case is quite interesting, primarily due to the sophistication of the approach. Person or persons unknown chose not to attack directly the exchange, and to use a weaker level, that is, to implant malicious script in Statcounter that handles traffic statistics pages of its website.
Without going into technical details, it is possible to specify that the script page is analyzed for the content of their address in “myaccount/withdraw/BTC“. If the page match the query, the script had already run the other code that is hosted on a domain Statconuter.catfish that differ from the original procedure Startcounter 2 letters.
The only address that contains the phrase that activates the second script is the page output of bitcoins to an external wallet that customers use Gate.io.
The actual function of the second script — the substitution of the address of the wallet of the client that should be used to withdraw bitcoins. At the same script every time it generates a new address, which is to track funds and assess the damage quite difficult. Funds were to be displayed in size, amounting to a daily limit of withdrawal of the individual user.