The Green Sheet Online Edition
March 24, 2014 • Issue 14:03:02
Mt. Gox, Pony and other bitcoin troubles
The rollercoaster ride continues for virtual currencies like bitcoin. Mt. Gox, the Japan-based bitcoin exchange operator and one of the first such providers of the controversial cryptocurrency, abruptly closed its doors on Feb. 24, 2014, and filed for bankruptcy a few days later. Meanwhile, security firm Trustwave disclosed a new fraud scheme called Pony that targets the digital wallets of virtual currency users.
In early February, Mt. Gox stopped its users from withdrawing funds from the exchange as a precautionary measure in light of cyber attacks on its network. But three weeks later, with Mt. Gox still struggling to resolve its issues, the exchange took a more drastic step and stopped all activity on its network. "In light of recent news reports and the potential repercussions on Mt. Gox's operations and the market, a decision was taken to close all transactions for the time being in order to protect the site and our users," the exchange said.
Following that, media reports surfaced indicating Mt. Gox is insolvent and unable to fulfill its role as an exchange. Thus, bitcoin users who traded bitcoin on the site may be unable to recover their investments if they held bitcoin balances on the exchange. Since the bitcoin economy is largely unregulated, bitcoin users have no financial protections if their bitcoin holdings are stolen or should disappear if an exchange goes dark and is unable to pay its obligations.
On Feb. 28, 2014, the hammer finally fell on Mt. Gox as it filed for bankruptcy protection. At a news conference held at the Justice Ministry in Tokyo, Mt. Gox Chief Executive Officer Mark Karpeles stated that the exchange had lost almost 750,000 of its users' bitcoins and around 100,000 additional bitcoins of its own. The total value of the stolen bitcoins is worth approximately $473 million on the open market.
Trustwave initially discovered the Pony fraud scheme in December 2013, in which user credentials were stolen from a variety of stored online accounts, including approximately 2 million websites, social networks and email programs. It is called the Pony botnet because the scheme involved a collection of malware infected computers (a botnet) that take instructions from the hacker's command-and-control server. Botnets are used to perform distributed denial of service attacks, for instance, which inundate websites with web traffic that effectively shuts them down.
More recently, Trustwave uncovered another Pony botnet. This scheme was more sophisticated than the first in that the malware had been upgraded to search infected computers for virtual wallets that stored cryptocurrencies on individuals' computers. Over 700,000 credentials were stolen between September 2013 and mid-January 2014 using this new scheme.
The attack seemed to target users in Europe, specifically Germany. But Ziv Mador, Security Research Director at Trustwave, said the researchers do not know where the scheme originated. Mador noted that the new Pony malware infected over 100,000 end user computers and scanned the operating systems to find virtual wallets. A tiny percentage of those computers contained digital wallets, simply because only a relatively few individuals today are involved in buying and selling cryptocurrencies.
Nonetheless, as of Feb. 24, the new Pony variant had netted the fraudsters about $220,000 worth of virtual currency from 85 wallets. The haul included 355 bitcoin and 280 litecoin, trading at about $600 and $14, respectively.
The key to protection
In Look What I Found: Pony is After Your Coins!, a Feb. 24 blog post written by members of Trustwave's SpiderLabs ethical hacking and research unit, said fraudsters are beginning to focus on virtual wallets because of their inherent vulnerabilities. Namely:
- Users are anonymous.
- Wallets are the property of whoever knows the private encryption key.
- Most users do not enable password protection.
Trustwave said that, since virtual currency transactions are conducted anonymously, they are irreversible. Because buyers and sellers of virtual currencies are anonymous, if bitcoin owners recognize bitcoins are being illicitly transferred out of their wallets to other wallets, there is no way to determine who owns those wallets. And since the bitcoin marketplace is unregulated, there is no authority to contact to reverse transactions or freeze accounts.
Also, hackers that obtain the private keys to mobile wallets become as much the owners of those wallets as their legitimate users, once again because all cryptocurrency users are anonymous. "Even if the person who created the wallet finds the person who took it, there is no way to really prove which one of them is the true owner," the researchers said.
And by not enabling passwords to safeguard the private keys of wallets, users are easy targets for hackers. Mador explained that a virtual wallet is enabled with two keys: one public, one private. The public key is shared between the local application and an exchange, for example, in order to conduct transactions over a network. But Mador said the private key stored on a user's computer should never be visible to anyone but the user.
"Basically the public key is the identity of the wallet, and what allows someone to generate transactions using that wallet," Mador said. "If I get someone's wallet but I don't have the private key, I cannot do anything. I need a private key in order to identify myself as the owner of the wallet. And then I can generate transactions."
Therefore, by encrypting private keys via passwords, the contents of those wallets are safe, Mador said. "Even if the criminals would be able to get to their machines, they will not be able to generate fraudulent transactions with those wallets."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.