One of the most hotly debated topics on the Internet today is the use of Bitcoins, sometimes referred to as BTC. Not a single day goes by without an article that discusses an aspect of Bitcoin usage. Should it be recognized and used like any other currency? Should one invest in such an unstable, unregulated and unpredictable currency? How do you protect yourself from Bitcoin-stealing malware?

Targeting an Online Currency

The IBM Trusteer security team recently analyzed a malware variant designed specifically to target this kind of information, mining and trading sites and other virtual currency platforms. This Citadel variant captures screenshots of victims’ browsers when they browse the following websites (partial list):

  • Informative site about Bitcoin for Russian speakers
  • Bitcoin mining site
  • Bitcoin’s main website
  • Bitcoin mining site
  • Bitcoin trading site
  • Payment platform called Payoneer
  • Virtual currency called Perfect Money (PM)
  • Virtual currency called QIWI
  • WebMoney (WM), a virtual currency
  • Yandex Money, a virtual currency

While Bitcoin wallet thieves and Bitcoin-mining malware have been around for quite some time now, it seems that cyber criminals are stepping up their game following Bitcoin’s impressive increase in value. In addition to this new Citadel variant, the IBM Trusteer security team has observed an increase in the number of forum posts from members looking for help targeting Bitcoin-related sites, while some cyber criminals are also asking for Bitcoin users’ email databases.

Virtual currencies are the bread and butter of cyber crime. Criminals use this form of payment to remain anonymous and protect their identities, both real and virtual. One such currency adopted by cyber criminals not long ago was Liberty Reserve, referred to as LR in underground forums. LR offered users a platform for transferring funds to other users with their email, name and date of birth as the means of identity. No effort was made to validate identities, no limits were set on transactions and most forms of deposit were honored — a true money-laundering paradise.

In May 2013, the U.S. Department of Justice charged LR with laundering $6 billion, and its founder was arrested along with six others. According to the New York Southern District Court attorney, “Liberty Reserve was intentionally created and structured to facilitate criminal activity; it was essentially a black market bank.” Cyber criminals were then forced to turn to other means for their transactions.

Bitcoin for Cyber Criminals

Our security team recently came across a discussion in a closed Russian cyber crime forum in which forum members debated the use of different virtual currencies, mules, secured transactions and, of course, Bitcoins. This fascinating thread included suggestions and tips as well as a discussion on the volatility of Bitcoins and the impact this could have on business. The thread, which included a discussion on the volatility of Bitcoins and what impact this could have on their business, started off with a question from one of the members:

“Hello all, do you use PerfectMoney or Bitcoin in your daily operations? And if yes, which? Or do you still use WebMoney after the Liberty Reserve shutdown?”

Bitcoin’s value had its fair share of ups and downs in 2013, with a price as low as $13 in January soaring to $1,200 at its highest point in late November, surpassing the price of gold. The price has been known to fluctuate following major related events, such as the shutdown of Tor-based drugstore Silk Road or following attacks and hacks of major Bitcoin exchanges.

What do cyber criminals think about the current available options when it comes to virtual currencies? The forum members can be roughly divided into three groups: the super secure, the classic virtual currencies supporters (those who use PerfectMoney, WebMoney, Yandex and other virtual currencies) and the Bitcoin enthusiasts.

The Super Secure

While all forum members were concerned with security, this group takes it a step further. In this thread, there are several examples of how important a secure cash-out is for them. One member wrote of his preferred transacting procedure:

“WebMoney Mobile with a prepaid SIM and a fresh phone. When I need a transaction, I turn the phone on, then off.”

Another member pointed out the importance of anonymity in the cash-out process:

“I use WebMoney registered to my drops. I don’t even access the WebMoney Keeper from my own IP. PerfectMoney is still a mystery to me. Used it once. Looks like Liberty. I use Yandex Money, with a Yandex card, also under the drop’s name when it comes to cashing out stuff to be safe. Anonymous cash-out of the earned money is the most important thing! Use drops!”

The use of the cyber criminal’s IP and personal data was raised again by another member:

“WebMoney is crap, and their Keeper, in particular. It collects all the available info of your PC and sends it to WebMoney’s servers (essentially a Trojan which you willingly installed).”

Classic Virtual Currencies Supporters

Members of this group are avid supporters of current virtual currencies. They prefer current solutions because they fit their needs and are not as volatile as Bitcoin. One member explained it this way:

“Bitcoin can’t serve as a method of accumulating money since this is just a toy at the hand of speculators. It’s much easier to register/buy a disposable/verified account rather than try cashing out BTC. So that’s PM+, BTC-.”

Another member responded:

“Totally agree. I don’t see any purpose in depositing money there and [keeping] major amounts there, because who knows who really is in control of the exchange rate?”

Other members just do not see a reason to change a system that already works:

“WM and PM are regular anonymous payment systems (WM is more formal, PM is straight-on fake info); knock on wood, everything is good. I use them daily, cashing out a minimum of $1K per week.”

One group member bluntly put it:

“Society is not ready for cryptocurrency.”

The Bitcoin Enthusiasts

Bitcoin supporters form the large majority. These members highlight the ease of use, safety and growing adoption rate of Bitcoins:

“I use Bitcoin mainly; it’s great for me. And more and more services migrate to Bitcoin.”

Others indicate that they have made the move from classic virtual currencies to Bitcoin and they never looked back:

“Bitcoin. I hope to stop using WebMoney completely soon.”

Other Bitcoin supporters don’t mind looking into other virtual currencies; however, they do indicate their satisfaction with Bitcoin:

“I use Bitcoin dollars daily. But I haven’t tried PerfectMoney yet. Maybe soon. I like BTC.”

And another member posted:

“Bitcoins and sometimes WM. I got blocked after a couple of days in PM after registering. Didn’t use it since.”

These members also dismiss claims regarding Bitcoin’s volatility. Several members noted that while Bitcoins may go down in value (as highlighted by supporters of classic virtual currencies), they usually regain their value and even go up.

With the ever-increasing interest in Bitcoins from entrepreneurs, businesses, private users and cyber criminals, we can only expect more malware designed to target this platform. Cyber criminals are enjoying the best of both worlds: On the one hand, they adopted Bitcoins to carry out (relatively) secure and anonymous transactions, while on the other, they are targeting and stealing from unsuspecting victims. No real dilemma here.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read

How Security Teams Combat Disinformation and Misinformation

4 min read - “A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

4 min read

A View Into Web(View) Attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

9 min read

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

4 min read - While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

4 min read