As it turns out, this simple trick can yield malware authors a lot of cryptocurrency
There’s a lot of money in cryptocurrency these days. In addition to hobby traders, cryptocurrency has attracted the attention of legitimate investors and speculators. It’s also attracted the attention of cyber criminals, who use it for ransomware payments.
And there’s another, old fashioned way cyber criminals are interested in cryptocurrency: to steal it.
There are many ways to steal cryptocurrency. One way is to use coinminer malware on victims’ machines to hijack computing resources in order to generate cryptocurrency directly for the criminals. We saw this with our recent research into Crackonosh, where the malware authors loaded their coinmining malware into cracked versions of popular games. This was enough to earn the people behind Crackonosh over $2 million USD Monero from over 222,000 infected systems worldwide since June 2018.
Another way is to attack the crypto equivalent of people’s bank accounts at the banks. We saw this when attackers went after customer accounts at Coinbase, one of the most popular cryptocurrency exchanges out there. In this case, the attackers went after Coinbase customers’ accounts, gained access to them, and then sent those customers’ funds to accounts under their control.
And, finally, another way attackers can steal your cryptocurrency is to attack your system directly with malware to steal those funds. What may be most surprising, though, is that attackers can do this by having their malware abuse a much-used feature in computers: copy and paste. It turns out that this simple trick can yield malware authors a lot of cryptocurrency.
In new research, Jakub Kaloč and Jan Rubín with the Avast Threat Labs team has found that MyKings – a botnet that’s been around since at least 2016 – uses a simple trick of hijacking the copy and paste function on infected machines to redirect cryptocurrency payments to the attackers’ wallets. Our research shows the attacker’s wallets show at least $24 million USD (and likely more) in Bitcoin, Ethereum, and Dogecoin. We can’t say that’s all stolen from MyKings infections, but at least some part of that sizable sum has come from MyKings using this copy and paste hijacking technique to successfully funnel money.
The way it works is simple. Once the MyKings malware is installed on a victim’s system, it continually monitors the clipboard for what’s copied into it. When it detects what it believes is a cryptocurrency wallet address in the clipboard, it replaces it with their wallet address. Once that happens, when the user “pastes” what they believe is their cryptowallet address into a transaction, they’re actually pasting the attacker's wallet address, rather than their own. Once the transaction is completed, the cryptocurrency is sent to the attacker’s wallet.
It’s a simple trick. And, as we can see, it’s very effective. It relies on users not noticing that the long, complex account number has changed. Given how long and complex cryptowallet addresses are, it’s a safe bet that many won’t notice the change. And, as we see, it pays off.
The good news is, there are some simple ways to protect yourself and your cryptocurrency.
First, running security software on any system you’re using for cryptocurrency is a good start: that can help keep malware like MyKings off your system.
Second, you can avoid this particular attack by not using copy/paste with your cryptocurrency wallet information and instead type it in yourself, taking care to ensure you have the right number.
Third, whether you use copy/paste or type your wallet address yourself, take a moment to verify that the account numbers you’re using are the right ones. This is a good step to follow at all times, as it can help not only prevent problems like this, but also catch mistakes that could cause other problems.
MyKings shows that there are simple ways attackers can steal your cryptocurrency. Fortunately, the steps to protect yourself are equally simple and effective.
Businesses can protect their sites from DDoS attacks with specialized software and cloud protection, while consumers can prevent their devices from being used as part of a botnet by using reliable antivirus software.
Hacked Facebook accounts belonging to a Brazilian ISP, Mexican sporting goods store, mountain tourism site from Slovakia, and a computer repair shop in the Philippines are spreading posts linking to malware to users around the world.
A crypto investment scam is circulating on Facebook and in people’s inboxes across Europe, Canada, and Australia. Avast is actively protecting its users from the campaign and has protected more than 10,000 users from the scam in August.