A malicious actor compromised the platform of leading web analytics firm StatCounter in a supply chain attack that targeted the cryptocurrency exchange gate.io with a bitcoin-stealing script.
Outside of gate.io, none of the other two million-plus websites using StatCounter's metrics services appear to have been affected by the malicious JavaScript, even if they downloaded it. That's because the script checks for a particular Uniform Resource Identifier, myaccount/withdraw/BTC, that's exclusively associated with a gate.io webpage, but no other cryptocurrency exchanges. In other words, the code appears to have been designed specifically to interact with gate.io users, according to blog post yesterday from Matthieu Faou, malware researcher at cybersecurity firm ESET.
In his report, Faou said that ESET notified both StatCounter and gate.io upon discovering the attack.
However, StatCounter founder Aodhan Cullen gave SC Media a differing account via email, saying it was actually a member who alerted his company to the incident. "We got a report from a member about this issue on Tuesday and fixed it within a few hours," said Cullen, describing the initial compromise as a cache poisoning attack.
In response, Faou held firm, stating that "We notified them on Monday, [Nov.] 5 at 6:55 p.m. EST time zone," adding that the disclosure was made via Stat Counter's support contact.
The ESET report explained that upon compromising the web analytics platform, the attackers injected their packed malicious code into the middle of a legitimate StatCounter script. "This is unusual, as attackers generally add malicious code at the beginning, or at the end, of a legitimate file," wrote Faou. "Code injected into the middle of an existing script is typically harder to detect via casual observation."
If the downloaded first-stage script finds the aforementioned gate.io URI, it then executes second-stage code, which is tied to a fake, lookalike StatCounter domain. This code is designed to steal bitcoins by replacing a user's transaction destination with a Bitcoin address belonging to the attackers.
"This redirection is probably unnoticeable to the victims, since the replacement is performed after they click on the submit button. Thus, it will happen very quickly and would probably not even be displayed," wrote Faou.
The malicious code either sticks with the amount chosen by the victim, or changes the amount to the unsuspecting user's daily withdrawal limit. And because the malicious script uses a new bitcoin address for each transaction, the researchers have been unable to ascertain how much the attackers may have successfully stolen during their campaign.