InsightaaS: UBM’s Dark Reading is one of the web’s best security information resources, connecting security professionals and information via ten communities that “drill deeper into the enterprise security challenge.” In this post, executive editor Kelly Jackson Higgins reports on a crypto-currency theft in which a hacker collected $83,000 by redirecting crypto currency miners to his site.
The article traces the path that Joe Stewart of Dell SecureWorks took to find the hijack, and the method used by the attacker to commandeer IP addresses and redirect crypto-mining profits in increments small enough (and brief enough) to allow the scam to continue for multiple days. Through Jackson’s post, we see some of the issues – a lack of security and standardization, the difficult-to-detect nature of patient, man-in-the-middle attacks, and the increasing value of intercepting data traffic – that make IT security both so difficult and so important.
A crypto currency thief hijacked traffic that was meant for large hosting companies including Amazon, Digital Ocean, OVH, and others earlier this year in a heist that earned him some $83,000 in profits in more than four months, researchers revealed last week.
Researchers with Dell SecureWorks Counter Threat Unit published the new research on the attacks in conjunction with the Black Hat USA show in Las Vegas. Dell SecureWorks says some 51 networks were compromised from 19 Internet service providers as the thief redirected crypto currency miners to his own mining pool and stole their profits — to the tune of $9,000 per day. The crypto currency hijack also interrupted network traffic for other users in the netblocks he targeted, the researchers say, but the attacker was mainly interested in the miners.
“They were man-in-the-middle hijacking crypto currency. I found my [account] was hijacked, too,” says Joe Stewart, director of malware research for Dell SecureWorks. When Stewart first heard of the crypto currency theft, he figured the attacker had hijacked Border Gateway Protocol (BGP) routes and redirected their mining to the rogue systems. The Internet’s BGP routing protocol basically connects networks on the Internet.
It turns out Stewart was correct: The attacker had blasted phony BGP broadcasts that redirected the victims’ crypto currency traffic to his server…