Cybercriminals Creep into 600K Websites via StatCounter to Target Bitcoin

Hackers have infiltrated a top website traffic analytics platform, injecting malicious code into more than 600,000 websites to be able to access the Bitcoin kept at crypto exchange Gate.io.

According to a November 6 report by ZDNet, cybersecurity firm ESET malware researcher, Matthieu Faou uncovered a group of malicious codes in a website traffic-tracking script provided by top website analytics company StatCounter.

Just like Google Analytics and Alexa, StatCounter tracks different metric websites used for the purpose of audience development, sales conversations, and others. Websites are obliged to add a layer of code to their system, which tracks website statistics. In this case, this requirement has become a liability, which led to more than 688,000 websites to allow the line of malicious code.

The websites seem to be safe from any possible damage because the malicious code only targets Bitcoin transactions executed on crypto exchange Gate.io. Data from CoinMarketCap shows that Gate is ranked 40th in terms of adjusted trading volume, with almost $50 million in daily trading volume, making it an attractive target for cybercriminals.

Meanwhile, Faou says that the code has been initially integrated to StatCounter’s website-tracking script on November 3, with the code still active four days since it was first added. The malware researcher says that StatCounter has yet to respond to his attempt to communicate, explaining:

“The JavaScript file at www.statcounter[.]com/counter/counter.js is still compromised.”

He further states that the malicious code specifically targets web pages that include the URL path “myaccount/withdraw/BTC,” which is a URL string that is exclusively set up on the sector of Gate that handles a user’s Bitcoin transfers.

According to Faou, the code acts like a normal crypto-targeting clipboard malware, where correct Bitcoin wallet addresses are replaced by wallet addresses owned by the cybercriminals who introduced the code.

The cybercriminals have tried to conceal their tracks by using a different Bitcoin address for every victim that got ensnared by the malware. Since the malware has been created to set off only after the user clicks on the submit button to transfer funds, it becomes too late before they even realize the change of address. Due to the ambiguity shrouding the security breach, Faou is not sure how many BTC the hackers were able to steal.

In a Twitter post on November 7, Gate has stated that they have already taken out the StatCounter tracking script from their website. Still, StatCounter’s security may still have a weakness that can affect any of the two million websites on the platform. Based on information available on Alexa Traffic ranking, StatCounter is ranked among the top 2,500 websites in the U.S. and is ranked 5,072 worldwide.