On the background of the cryptocurrency boom, the criminals come up with new ways to take over other people’s digital assets. One of them is the use of so — called web injection to intercept and modify traffic between the browser and the cryptocurrency web resource.

An independent research company SecurityScorecard said web injection threaten the users of the service and Coinbase web wallet Blockchain.

Web injection is usually embedded in a web page a piece of code with malicious content. Web injections can be used to add or remove content on the page, which sees the victim. For example, it can add fields on the login screen to the system to capture the password. Web injections are used to steal credentials or to access Bank accounts, but recently they have been actively used to steal cryptocurrency.

According to Doiny Kosovan, a specialist in malicious software in SecurityScorecard, botnet owners buy web injections to Coinbase and Blockchain.info and circulate them to the infected computers. These web injections can be used various types of malware. Kosovan says:

We noticed that this, in particular, Zeus and Ramnit, but it’s just the examples that we came across. Any owner of a botnet-malware software, is able to add code to the sites can buy and use these injections.

Web injection for Coinbase, discovered SecurityScorecard designed to change the account settings of the victim, to enable the transmission of digital coins without the need for confirmation from the user. When a user tries to log in to your Coinbase account, added a JavaScript hackers first disables the keyboard “Enter” button for the fields email and password that the user had to press the “Send” button on the website.

It also creates a button that has the same attributes as the original. It is inserted on top of the original login buttons that the victim clicked on it. The ultimate goal is the capture of multifactor authentication. It would subsequently be used to change the account settings to further transactions could be performed without the user’s consent. Kosovan says:

Once this change is made, the embedded program can begin to make transactions without the need for confirmation through two-factor authentication. Furthermore, the user access to settings is locked, so you cannot enable two-factor authentication for transactions.

Web injection Blockchain.info work similarly, and are designed to steal funds from wallet. Among other things, the web injection displays a message “Service Unavailable”, not allowing the user to detect theft.

Also researchers at Trend Micro found that hackers used the identified five years ago the vulnerability of Linux servers for covert mining of cryptocurrencies.

For cryptogamia used CVE-2013-2618 — a long-standing vulnerability in the plugin Network Weathermap, Cacti, tool open-source which network administrators are used to visualize network activity. Attackers can exploit this vulnerability to insert HTML and JavaScript into the header cards in the network editor, and upload malicious PHP code on the server.

The vulnerability was disclosed in April 2013 and the way to deal with it has existed for nearly five years, but criminals still use it for mining in 2018. At risk — public x86-64 web Linux servers around the world, but the largest number of victims recorded in Japan, China, USA and Taiwan.

Attackers use this exploit to request view code on the server with a vulnerability that allows them to modify the code to install the miner, presupposes every three minutes.

The miner is modified legal instrument XMRig open source Monero. After analyzing some cryptocurrency wallets, the researchers found that one of the attackers managed to get 320 Monero (they cost slightly less than $68 000). They note that this is only a small part of what was nominee for the entire campaign: according to preliminary estimates, the hackers were able to earn approximately $3 million.