StatCounter script stole gate.io withdrawals
Attackers injected JavaScript into StatCounter's hosted analytics script. The code waited for gate.io Bitcoin withdrawal pages and swapped destination wallets.
Story
StatCounter was a third-party analytics dependency embedded by more than two million member sites. On 2018-11-03, attackers changed www.statcounter.com/counter/counter.js, turning a common tracking tag into a delivery point.
The injected code was placed in the middle of the legitimate script and packed with the Dean Edwards packer. It did not attack every page. It checked the current URL for myaccount/withdraw/BTC, a path ESET matched to gate.io.
When a victim reached the gate.io Bitcoin withdrawal form, the second-stage script from statconuter.com rewrote the withdrawal submission. It replaced the destination address with an attacker wallet and could use the account's available balance or daily limit.
Gate.io stopped using StatCounter before ESET published, and StatCounter removed the malicious script on 2018-11-06. The attack mattered because one compromised analytics script reached many sites while targeting one exchange with precision.
Affected Artifacts
- Observed
- 2018-11-03 to 2018-11-06
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- distribution: statcounter.com/counter/counter.js, url: https://www.statcounter.com/counter/counter.js, domain: statconuter.com, url: https://www.statconuter.com/c.php , +3 more
Incident Context
- Motive
- Cryptocurrency Theft
- Cause
- Website Compromise
- Transitive
- Yes
- User Impact
- 2000000
External References
- Supply-chain attack on cryptocurrency exchange gate.iowelivesecurity.com
- StatCounter analytics platform hacked to steal Bitcoin from gate.io usersbleepingcomputer.com
- StatCounter hacked to steal cryptocurrency from gate.io usersthehackernews.com
Source record: proprietary/statcounter/meta.yaml