One of the most debated topics on the internet today is the use of Bitcoins. Not a single day goes by without an article that discusses an aspect of Bitcoin usage: should they be recognized and used like any other currency? Should one invest in such an unstable, unregulated and unpredictable currency? How do you protect yourself from Bitcoin stealing malware?
Trusteer’s Security team has recently analyzed a malware variant designed to specifically target Bitcoin information, mining and trading sites as well as other virtual currencies platforms. This Citadel variant captures screenshots of a victim’s browser when they browse the following web sites (partial list):
BTCsec.com – An informative site about Bitcoin for Russian speakers
Bit-Miner.com – Bitcoin mining site
mining.bitcoin.cz – Bitcoin mining site
bitcoin-trade.biz – Bitcoin trading site
Payoneer.com – Payoneer, a payment platform
perfectmoney.com – PerfectMoney, a virtual currency
qiwi.ru – QIWI, a virtual currency
webmoney.ru – Webmoney, a virtual currency
money.yandex.ru – Yandex Money, a virtual currency
While Bitcoin wallet stealers and Bitcoin mining malware have been around for quite some time now, it seems that cybercriminals are stepping up their game following Bitcoin’s impressive increase in value. In addition to this new Citadel variant, Trusteer’s security team has observed an increase in the number of forum posts of members looking for help in targeting a Bitcoin related site while some cybercriminals are also asking for Bitcoin users’ email databases.
Virtual currencies are the bread and butter of cybercrime. Criminals use this form of payment to remain anonymous and protect their online, as well as their real, identities. One such currency adopted by cybercriminals not long ago was Liberty Reserve (referred to as LR in underground forums). LR offered users a platform for transferring funds to other users using their email, name and date of birth as means of identity. No effort was made to validate identities, no limits were set on transactions and most forms of deposits were honored – a true money laundering paradise. In May 2013 the US Department of Justice prosecuted LR for money laundering $6B and arrested its founder. According to the New York Southern District Court attorney “Liberty Reserve was intentionally created and structured to facilitate criminal activity, it was essentially a black market bank.” Cybercriminals were forced to use other means for transactions.
Trusteer’s security team recently come across a discussion in a closed Russian cybercrime forum in which forum members debated the use of different virtual currencies, mules, secured transactions, and of course, Bitcoins. This fascinating thread included suggestions and tips as well as a discussion on the volatility of Bitcoins and what impact this could have on their business. The thread started off with a question by one of the members:
Hello all, do you use PerfectMoney or Bitcoin in your daily operations? And if yes, which? Or do you still use WebMoney after the Liberty Reserve shutdown?
Bitcoin’s (referred to as BTC) value had its fair share of ups and downs this year, with a price as low as $13 in January and soaring to $1200 at its highest point last week – surpassing the price of gold! Its price has been known to fluctuate following major related events such as the shutting down of the TOR based drug store Silk Road or following attacks and hacks of major Bitcoin exchanges. What do cybercriminals think about the current available options when it comes to virtual currencies? The forum members can be roughly divided into three groups: the super secure, the classic virtual currencies supporters (those who use PerfectMoney (PM), WebMoney (WM), Yandex and other virtual currencies) and the Bitcoin enthusiasts.
The Super Secure
While all forum members are concerned with security, this group takes further. In this thread there are several examples of how important a secured cashout is for them. One member wrote of his preferred transacting procedure:
Webmoney Mobile with a prepaid SIM and a fresh phone. When I need a transaction I turn the phone on, then off.
Another member pointed out the importance of anonymity in the cashout process:
I use WebMoney registered to my drops. I don’t even access the WebMoney Keeper from my own IP. PerfectMoney is still a mystery to me. Used it once. Looks like Liberty. I use Yandex Money, with a Yandex card, also under the drop’s name when it comes to cashing out stuff to be safe. Anonymous cashout of the earned money is the most important thing! Use drops!
The issue of the cybercriminal’s IP and personal data was raised again by another member:
WebMoney is crap, and their Keeper, in particular. It collects all the available info of your PC and sends it to WebMoney’s servers (essentially, a Trojan which you willingly installed)
The Classic Virtual Currencies Supporters
Members of this group are avid supporters of current virtual currencies. They prefer current solutions because they fit their needs and are not as volatile as Bitcoins. One member explained it this way:
Bitcoin can’t serve as a method of accumulating money, since this is just a toy at the hand of speculators. It’s much easier to register/buy a disposable/verified account rather than try cashing out BTC. So that’s PM+ BTC-
Another member responded:
Totally agree. I don’t see any purpose in depositing money there and keep major amounts there because who knows who really is in control of the exchange rate
Other members just do not see a reason to change an already working system:
WM and PM are regular anonymous payment systems (WM is more formal, PM is straight-on-fake info), knock on wood, everything is good. I use them daily, cashing out a minimum of $1K per week
One group member bluntly put it:
Society is not ready for cryptocurrency
The Bitcoin Enthusiasts
Bitcoin supporters form the largest majority. These members highlight the ease of use, safety and growing adoption rate of Bitcoins.
I use Bitcoin mainly, it’s great for me. And more and more services migrate to Bitcoin
Others indicate that they have made the move from classic virtual currencies to Bitcoin and they never looked back:
Bitcoin. I hope to stop using WebMoney completely soon
Other Bitcoin supporters don’t mind looking into other virtual currencies, however, they do indicate their satisfaction with Bitcoin:
I use Bitcoin Dollars daily. But I haven’t tried PerfectMoney yet. Maybe soon. I like BTC
And another member posted:
Bitcoins and sometimes WM. I got blocked after a couple of days in PM after registering. Didn’t use it since
These members also dismiss claims regarding Bitcoin’s volatility. Several members noted that while Bitcoins may go down in value (as highlighted by the classic virtual currencies supporters) it usually regains its value and even goes up.
With the constantly increasing interest in Bitcoins by entrepreneurs, businesses, private users and cybercriminals, we can only expect more malware designed to target this platform. Cybercriminals are enjoying the best of both worlds – on the one hand they adopted Bitcoins to carry out (relatively) secure and anonymous transactions, while also targeting and stealing from unsuspecting victims. No real dilemma here.
Etay Maor | Fraud Prevention Manager | Trusteer, an IBM Company.