From banks to Bitcoin: Trickbot shifts online hustle to cryptocurrencies

Trickbot, a well-known banking trojan, has new functionality that brings its attack on Bitcoin exchange accounts up to par with its well-honed browser attacks on online banking sessions. 

Trickbot’s move to Bitcoin was first noticed in mid-2017 when researchers at Forcepoint discovered a wave of bank-themed spam that downloaded a variant of Trickbot with a web-injection module for intercepting an online banking transaction from within the browser. 

But besides the usual list of banking targets, for the first time Trickbot had a web-inject for visitors to Coinbase, a popular exchange for buying and selling Bitcoin and other cryptocurrencies. 

IBM’s X-Force researchers have now revealed some of the inner workings of this online hustle aimed at users of an unnamed cryptocurrency exchange. The only clue IBM offers is that this exchange specifically supports purchasing Bitcoin and Bitcoin cash with a credit card, whereas some changes only provide coin to coin transactions. 

The web inject modules, known as man-in-the-browser attacks, seek to position the attacker between the browser and the cryptocurrency exchange by replacing elements of the legitimate website with the attacker’s files. Trickbot executes its attack on the exchange itself and when the user moves to a payment service provider’s domain. 

“In the normal payment scenario, a user looking to buy coins provides his or her public bitcoin wallet address and specifies the amount of bitcoin to purchase. When submitting this initial form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider,” explain IBM’s X-Force researchers. 

“There, the user fills in his or her personal information, as well as credit card and billing details, and confirms the purchase of coins. This is where TrickBot hijacks the coins. This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet.”

So, the victim who types their Bitcoin wallet address and the coins they wish to purchase on the legitimate exchange is actually supplying those details to the attacker who can then decide whether the transaction is worth targeting for fraud. It also collects the victim’s data from the payment processor’s page.

The second part of the attack targets the address of the bitcoin wallet where the purchased Bitcoin is intended to be delivered. The victim thinks they’ve paid their counterpart in the trade, but the units goes to the attack’s wallet. After that the malware leads to the victim to supply a phone number, email address, a selfie with the credit card they want to use, and a photo of the victim’s national ID card.     

Prior to Trickbot's operators casting a net over cryptocurrencies, the group had over the past three years been building up tailored deceptions for different markets, starting with Australia, the US, and UK, and later expanding to other parts of Europe, including the Nordics.   


Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwareIBMtrojancyber securityBitcoincryptocurrencybanking malwareTrickbot

More about AustraliaForcepointIBMX-Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts

Market Place