One of the most hotly debated topics on the Internet today is the use of Bitcoins, sometimes referred to as BTC. Not a single day goes by without an article that discusses an aspect of Bitcoin usage. Should it be recognized and used like any other currency? Should one invest in such an unstable, unregulated and unpredictable currency? How do you protect yourself from Bitcoin-stealing malware?

Targeting an Online Currency

The IBM Trusteer security team recently analyzed a malware variant designed specifically to target this kind of information, mining and trading sites and other virtual currency platforms. This Citadel variant captures screenshots of victims’ browsers when they browse the following websites (partial list):

  • Informative site about Bitcoin for Russian speakers
  • Bitcoin mining site
  • Bitcoin’s main website
  • Bitcoin mining site
  • Bitcoin trading site
  • Payment platform called Payoneer
  • Virtual currency called Perfect Money (PM)
  • Virtual currency called QIWI
  • WebMoney (WM), a virtual currency
  • Yandex Money, a virtual currency

While Bitcoin wallet thieves and Bitcoin-mining malware have been around for quite some time now, it seems that cyber criminals are stepping up their game following Bitcoin’s impressive increase in value. In addition to this new Citadel variant, the IBM Trusteer security team has observed an increase in the number of forum posts from members looking for help targeting Bitcoin-related sites, while some cyber criminals are also asking for Bitcoin users’ email databases.

Virtual currencies are the bread and butter of cyber crime. Criminals use this form of payment to remain anonymous and protect their identities, both real and virtual. One such currency adopted by cyber criminals not long ago was Liberty Reserve, referred to as LR in underground forums. LR offered users a platform for transferring funds to other users with their email, name and date of birth as the means of identity. No effort was made to validate identities, no limits were set on transactions and most forms of deposit were honored — a true money-laundering paradise.

In May 2013, the U.S. Department of Justice charged LR with laundering $6 billion, and its founder was arrested along with six others. According to the New York Southern District Court attorney, “Liberty Reserve was intentionally created and structured to facilitate criminal activity; it was essentially a black market bank.” Cyber criminals were then forced to turn to other means for their transactions.

Bitcoin for Cyber Criminals

Our security team recently came across a discussion in a closed Russian cyber crime forum in which forum members debated the use of different virtual currencies, mules, secured transactions and, of course, Bitcoins. This fascinating thread included suggestions and tips as well as a discussion on the volatility of Bitcoins and the impact this could have on business. The thread, which included a discussion on the volatility of Bitcoins and what impact this could have on their business, started off with a question from one of the members:

“Hello all, do you use PerfectMoney or Bitcoin in your daily operations? And if yes, which? Or do you still use WebMoney after the Liberty Reserve shutdown?”

Bitcoin’s value had its fair share of ups and downs in 2013, with a price as low as $13 in January soaring to $1,200 at its highest point in late November, surpassing the price of gold. The price has been known to fluctuate following major related events, such as the shutdown of Tor-based drugstore Silk Road or following attacks and hacks of major Bitcoin exchanges.

What do cyber criminals think about the current available options when it comes to virtual currencies? The forum members can be roughly divided into three groups: the super secure, the classic virtual currencies supporters (those who use PerfectMoney, WebMoney, Yandex and other virtual currencies) and the Bitcoin enthusiasts.

The Super Secure

While all forum members were concerned with security, this group takes it a step further. In this thread, there are several examples of how important a secure cash-out is for them. One member wrote of his preferred transacting procedure:

“WebMoney Mobile with a prepaid SIM and a fresh phone. When I need a transaction, I turn the phone on, then off.”

Another member pointed out the importance of anonymity in the cash-out process:

“I use WebMoney registered to my drops. I don’t even access the WebMoney Keeper from my own IP. PerfectMoney is still a mystery to me. Used it once. Looks like Liberty. I use Yandex Money, with a Yandex card, also under the drop’s name when it comes to cashing out stuff to be safe. Anonymous cash-out of the earned money is the most important thing! Use drops!”

The use of the cyber criminal’s IP and personal data was raised again by another member:

“WebMoney is crap, and their Keeper, in particular. It collects all the available info of your PC and sends it to WebMoney’s servers (essentially a Trojan which you willingly installed).”

Classic Virtual Currencies Supporters

Members of this group are avid supporters of current virtual currencies. They prefer current solutions because they fit their needs and are not as volatile as Bitcoin. One member explained it this way:

“Bitcoin can’t serve as a method of accumulating money since this is just a toy at the hand of speculators. It’s much easier to register/buy a disposable/verified account rather than try cashing out BTC. So that’s PM+, BTC-.”

Another member responded:

“Totally agree. I don’t see any purpose in depositing money there and [keeping] major amounts there, because who knows who really is in control of the exchange rate?”

Other members just do not see a reason to change a system that already works:

“WM and PM are regular anonymous payment systems (WM is more formal, PM is straight-on fake info); knock on wood, everything is good. I use them daily, cashing out a minimum of $1K per week.”

One group member bluntly put it:

“Society is not ready for cryptocurrency.”

The Bitcoin Enthusiasts

Bitcoin supporters form the large majority. These members highlight the ease of use, safety and growing adoption rate of Bitcoins:

“I use Bitcoin mainly; it’s great for me. And more and more services migrate to Bitcoin.”

Others indicate that they have made the move from classic virtual currencies to Bitcoin and they never looked back:

“Bitcoin. I hope to stop using WebMoney completely soon.”

Other Bitcoin supporters don’t mind looking into other virtual currencies; however, they do indicate their satisfaction with Bitcoin:

“I use Bitcoin dollars daily. But I haven’t tried PerfectMoney yet. Maybe soon. I like BTC.”

And another member posted:

“Bitcoins and sometimes WM. I got blocked after a couple of days in PM after registering. Didn’t use it since.”

These members also dismiss claims regarding Bitcoin’s volatility. Several members noted that while Bitcoins may go down in value (as highlighted by supporters of classic virtual currencies), they usually regain their value and even go up.

With the ever-increasing interest in Bitcoins from entrepreneurs, businesses, private users and cyber criminals, we can only expect more malware designed to target this platform. Cyber criminals are enjoying the best of both worlds: On the one hand, they adopted Bitcoins to carry out (relatively) secure and anonymous transactions, while on the other, they are targeting and stealing from unsuspecting victims. No real dilemma here.

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…