14 DAY TRIAL // The web analytics platform StatCounter was compromised on November 3 by attackers who modified their global site-tracking script to steal Bitcoins from gate.io's withdrawal page as discovered by ESET's Matthieu Faou.
"The script targets a specific Uniform Resource Identifier (URI): myaccount/withdraw/BTC. It turns out that among the different cryptocurrency exchanges live at time of writing, only gate.io has a valid page with this URI," said Faou. "Thus, this exchange seems to be the main target of this attack."
Given that more than 2 million websites use StatCounter's website tracking platform and it monitors stats for roughly 10 billion pages every month, it's easy to understand why the actors behind the attack marked them as a target.
The hackers altered the platform's main tracking script available at www.statcounter[.]com/counter/counter.js by appending malicious code designed to automatically switch the destination Bitcoin address.
To be more exact, once the victim clicks on the submit button on gate.io's withdrawal page, the statconuter[.]com/c.php payload script hosted by the attackers on a very similar domain to statcounter.com to avoid detection will generate a new Bitcoin address and replace the original destination of the cryptocurrency.
The cryptocurrency was stolen using a maliciously altered tracking script used by 2+ million websites
"This redirection is probably unnoticeable to the victims, since the replacement is performed after they click on the submit button," stated Faou. "Thus, it will happen very quickly and would probably not even be displayed."
Seeing that every time the malicious script redirects the blockchain transactions it also changes the Bitcoin address where it collects the stollen cryptocurrency, it's virtually impossible to find out the volume of funds the attackers were able to steal from the gate.io exchange users until they were discovered and gate.io's admins removed the StatCounter tracking script.
This complex supply-chain attack pulled off to compromise a Bitcoin exchange that isn't even the most significant player on the market at this time shows the amount of effort bad actors will go through to successfully infiltrate a target with the promise of a substantial payback.
"It also shows that even if your website is updated and well protected, it is still vulnerable to the weakest link, which in this case was an external resource," according to the ESET security researcher. "This is another reminder that external JavaScript code is under the control of a third party and can be modified at any time without notice."