One of the most hotly debated topics on the Internet today is the use of Bitcoins, sometimes referred to as BTC. Not a single day goes by without an article that discusses an aspect of Bitcoin usage. Should it be recognized and used like any other currency? Should one invest in such an unstable, unregulated and unpredictable currency? How do you protect yourself from Bitcoin-stealing malware?

Targeting an Online Currency

The IBM Trusteer security team recently analyzed a malware variant designed specifically to target this kind of information, mining and trading sites and other virtual currency platforms. This Citadel variant captures screenshots of victims’ browsers when they browse the following websites (partial list):

  • BTCsec.com: Informative site about Bitcoin for Russian speakers
  • Bit-miner.com: Bitcoin mining site
  • Bitcoin.org: Bitcoin’s main website
  • Mining.bitcoin.cz: Bitcoin mining site
  • Bitcoin-trade.biz: Bitcoin trading site
  • Payoneer.com: Payment platform called Payoneer
  • Perfectmoney.com: Virtual currency called Perfect Money (PM)
  • Qiwi.ru: Virtual currency called QIWI
  • Webmoney.ru: WebMoney (WM), a virtual currency
  • Money.yandex.ru: Yandex Money, a virtual currency

While Bitcoin wallet thieves and Bitcoin-mining malware have been around for quite some time now, it seems that cyber criminals are stepping up their game following Bitcoin’s impressive increase in value. In addition to this new Citadel variant, the IBM Trusteer security team has observed an increase in the number of forum posts from members looking for help targeting Bitcoin-related sites, while some cyber criminals are also asking for Bitcoin users’ email databases.

Virtual currencies are the bread and butter of cyber crime. Criminals use this form of payment to remain anonymous and protect their identities, both real and virtual. One such currency adopted by cyber criminals not long ago was Liberty Reserve, referred to as LR in underground forums. LR offered users a platform for transferring funds to other users with their email, name and date of birth as the means of identity. No effort was made to validate identities, no limits were set on transactions and most forms of deposit were honored — a true money-laundering paradise.

In May 2013, the U.S. Department of Justice charged LR with laundering $6 billion, and its founder was arrested along with six others. According to the New York Southern District Court attorney, “Liberty Reserve was intentionally created and structured to facilitate criminal activity; it was essentially a black market bank.” Cyber criminals were then forced to turn to other means for their transactions.

Bitcoin for Cyber Criminals

Our security team recently came across a discussion in a closed Russian cyber crime forum in which forum members debated the use of different virtual currencies, mules, secured transactions and, of course, Bitcoins. This fascinating thread included suggestions and tips as well as a discussion on the volatility of Bitcoins and the impact this could have on business. The thread, which included a discussion on the volatility of Bitcoins and what impact this could have on their business, started off with a question from one of the members:

“Hello all, do you use PerfectMoney or Bitcoin in your daily operations? And if yes, which? Or do you still use WebMoney after the Liberty Reserve shutdown?”

Bitcoin’s value had its fair share of ups and downs in 2013, with a price as low as $13 in January soaring to $1,200 at its highest point in late November, surpassing the price of gold. The price has been known to fluctuate following major related events, such as the shutdown of Tor-based drugstore Silk Road or following attacks and hacks of major Bitcoin exchanges.

What do cyber criminals think about the current available options when it comes to virtual currencies? The forum members can be roughly divided into three groups: the super secure, the classic virtual currencies supporters (those who use PerfectMoney, WebMoney, Yandex and other virtual currencies) and the Bitcoin enthusiasts.

The Super Secure

While all forum members were concerned with security, this group takes it a step further. In this thread, there are several examples of how important a secure cash-out is for them. One member wrote of his preferred transacting procedure:

“WebMoney Mobile with a prepaid SIM and a fresh phone. When I need a transaction, I turn the phone on, then off.”

Another member pointed out the importance of anonymity in the cash-out process:

“I use WebMoney registered to my drops. I don’t even access the WebMoney Keeper from my own IP. PerfectMoney is still a mystery to me. Used it once. Looks like Liberty. I use Yandex Money, with a Yandex card, also under the drop’s name when it comes to cashing out stuff to be safe. Anonymous cash-out of the earned money is the most important thing! Use drops!”

The use of the cyber criminal’s IP and personal data was raised again by another member:

“WebMoney is crap, and their Keeper, in particular. It collects all the available info of your PC and sends it to WebMoney’s servers (essentially a Trojan which you willingly installed).”

Classic Virtual Currencies Supporters

Members of this group are avid supporters of current virtual currencies. They prefer current solutions because they fit their needs and are not as volatile as Bitcoin. One member explained it this way:

“Bitcoin can’t serve as a method of accumulating money since this is just a toy at the hand of speculators. It’s much easier to register/buy a disposable/verified account rather than try cashing out BTC. So that’s PM+, BTC-.”

Another member responded:

“Totally agree. I don’t see any purpose in depositing money there and [keeping] major amounts there, because who knows who really is in control of the exchange rate?”

Other members just do not see a reason to change a system that already works:

“WM and PM are regular anonymous payment systems (WM is more formal, PM is straight-on fake info); knock on wood, everything is good. I use them daily, cashing out a minimum of $1K per week.”

One group member bluntly put it:

“Society is not ready for cryptocurrency.”

The Bitcoin Enthusiasts

Bitcoin supporters form the large majority. These members highlight the ease of use, safety and growing adoption rate of Bitcoins:

“I use Bitcoin mainly; it’s great for me. And more and more services migrate to Bitcoin.”

Others indicate that they have made the move from classic virtual currencies to Bitcoin and they never looked back:

“Bitcoin. I hope to stop using WebMoney completely soon.”

Other Bitcoin supporters don’t mind looking into other virtual currencies; however, they do indicate their satisfaction with Bitcoin:

“I use Bitcoin dollars daily. But I haven’t tried PerfectMoney yet. Maybe soon. I like BTC.”

And another member posted:

“Bitcoins and sometimes WM. I got blocked after a couple of days in PM after registering. Didn’t use it since.”

These members also dismiss claims regarding Bitcoin’s volatility. Several members noted that while Bitcoins may go down in value (as highlighted by supporters of classic virtual currencies), they usually regain their value and even go up.

With the ever-increasing interest in Bitcoins from entrepreneurs, businesses, private users and cyber criminals, we can only expect more malware designed to target this platform. Cyber criminals are enjoying the best of both worlds: On the one hand, they adopted Bitcoins to carry out (relatively) secure and anonymous transactions, while on the other, they are targeting and stealing from unsuspecting victims. No real dilemma here.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today