Web analytics company Statcounter and cryptocurrency exchange gate.io have been compromised in another supply-chain attack, which resulted in an unknown number of gate.io customers getting their money stolen, according to ESET.
The compromise was first detected by researchers of IT security company firm ESET, who noticed that that the script (www.statcounter.com/counter/counter.js) that Statcounter script its clients add to their websites has been modified to include malicious code:
The injected code did the following:
- Check if the URL contains myaccount/withdraw/BTC (which turned out to be a specific URI for the gate.io bitcoin transfer webpage)
- If yes, the script added a new script element to the webpage and incorporated the code at https://www.statconuter[.]com/c.php, which is designed to steal bitcoins
- The script automatically replaced the destination Bitcoin address with an address belonging to the attackers (a new address each time the php script is newly loaded).
“Depending on whether the victim enters an amount above 10 BTC or not, the attackers’ script will either use it or use the victim’s account’s daily withdrawal limit,” ESET researcher Matthieu Faou explained.
“Finally, the malicious script submits the form, which executes the transfer from the victim’s account to the attackers’ wallet. This redirection is probably unnoticeable to the victims, since the replacement is performed after they click on the submit button. Thus, it will happen very quickly and would probably not even be displayed.”
Faou says that the Statcounter breach happened on November 3. They discovered it on Tuesday (November 6) and immediately notified both StatCounter and gate.io.
Statcounter, which boasts of over 2 million members/customers, has yet to publicly comment on the incident. Hopefully they are working on securing their compromised assets and removing the malicious code from the script. Statcounter customers would do well to demand some answers from the company, even if they weren’t affected this time.
Gate.io has reacted by removing the Statcounter script from their website.
“After that, we didn’t find any other suspicious behaviors,” they said, and added that “users’ funds are safe.” They did not say whether they will reimburse those users who have performed transfers between November 3 and 6 and have had their money stolen.