Brazilian Cyber-Criminals Enters The Bitcoin Race With Malicious And Fake Mt. Gox

Kaspersky Lab security experts says that Brazilian cyber-criminals have entered the Bitcoin game with something very sinister in mind and it is time you start taking the security of your Bitcoins seriously. They are now using malicious PAC (Proxy Auto-Config) web attacks to route victims to a phishing domains that looks like the real Mt. Gox.

Brazilians And Bitcoin

PAC is used by sysadmins around the world and accepted by all modern browsers. It defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL. Normally it contains a JavaScript function “FindProxyForURL(url, host)”. This function returns a string with one or more access method specifications. These specifications cause the user agent to use a particular proxy server or to connect directly.

See HowTo Use Auto Config Proxy PAC File For Specific Domain

This feature has now become a tool in the hands of cyber-criminals that in 2013, researchers began warning about the security risks of proxy auto-config . The threat involves using a PAC to redirect the victim’s browser traffic to an attacker-controlled server instead.

There have been an increase in the deployment of these malicious scripts which direct webmail and online banking traffic through rogue proxy servers. These proxies allow attackers to steal usernames and passwords when forms are submitted, or use victims’ cookies to hijack already-authenticated sessions. Previous attacks using this technique originally targeted customers of Brazilian banks, but the fraudsters have since widened their scope and now also proxy traffic destined for webmail services such as Hotmail and Gmail, American banks, and one of the world’s most popular phishing targets – PayPal. It is also expected to become more widespread worldwide in the next few years.

With this form of attack, there is no indication in the browser that anything bad is happening and all the major browsers including Internet Explorer, Firefox and Chrome are affected. For example, the proxy settings can be changed to only route requests intended for a single bank to an attacker’s system and the requests could also be modified in real-time.

What the malicious scripts being use for Bitcoin phishing does is to redirect the victim’s connection to a phishing site called This site doesn’t exist in Brazil but still resolved on infected machines pointing to a phishing page.

Once the redirection to the fake page is completed, users unaware that they are a phishing site will input their credentials and the process of stealing these and the Bitcoins starts.

Kaspersky Lab gave an example with the domain which the Brazilian criminals used to attack several websites, inserting malicious iframe in the compromised pages:

Malicious iFrame

Then the iFrame loads a malicious Java applet prepared to change the proxy configuration on web browser. The URL used in the attack points to a file called update.pac that looks like this:

Malicious File Used In The Attack

The script uses multiple concatenations to bypass signature-based detection but once the Lab cleaned it, it looked like this:

Malicious Script

They said that the malicious PAC is detected as and seriously recommend that all Mt. Gox users use two-factor authentication to protect their account.

Daniel Ingevaldson, chief technology officer for Easy Solutions, a fraud-prevention company that operates extensively in South America points out that what this is “essentially having end users interacting with a shadow Internet designed by the bad guys. The victims surf normally with the proxy completely undetectable to the end-user, except for when they hit a site that is specified by the attacker.”

Security experts says that preventing PAC files from compromising browsers is not a simple task, as client-side security software will likely find it difficult to detect whether a give PAC file is a valid change or a malicious attack.

“The writers of Zeus and SpyEye are in the business of making money with the toolkits so they are constantly changing tactics,” Anup Ghosh, co-founder and CEO of Invincea says. “Detecting that a change in the proxy is malicious is really hard from an anti-malware perspective, so that is a tough one for anti-virus vendors to address.”

For System Admins, mitigating such attacks means avoiding using automatic proxy detection settings on untrusted networks, and to also ensure your browser’s automatic proxy configuration URL does not contain an unexpected address.

Another suggested way is to use a layered security program designed to detect strange or unusual behavior when the customer logs into the system and when carrying out electronic transfers to third parties.

Leave a Reply