Numerous cryptocurrency scams have emerged since the rising price of some currencies, notably Bitcoin and Ethereum, made them highly lucrative. 

These scams have become increasingly common over recent months, but the methods behind them are not new. Some scammers pretend to be holding large sums of money that they will ‘giveaway’ once the victim has sent them a smaller amount of currency. Others offer large amounts of a new cryptocurrency in exchange for a small amount of an established one. 

Scams involving Initial Coin Offerings (ICOs), through which the public are invited to invest in a new currency, are particularly popular amongst criminal groups. In 2018, the US Securities and Exchange Commission (SEC) filed at least 12 separate cases against organisations that had set up allegedly fraudulent ICOs, with tens of millions in purported profits. This week, the BBC reported that scammers accessed Twitter accounts for high profile brands had been hijacked by fraudsters and used to promote fake giveaways of cryptocurrency. 
 

Third-party JavaScript abused to steal money from Cryptocurrency exchange users

Researchers at cyber security company ESET discovered that a website analytics platform was compromised in early November. Attackers were able to modify a JavaScript plugin used by websites to track visitor statistics.  

Although this allowed a malicious script to be injected into all websites that use the plugin, the attackers only targeted a specific Cryptocurrency exchange. The plugin was modified to include a component that checked for a specific identifier for the exchange’s withdrawal page. If detected, a second script replaced the victim’s intended destination Bitcoin addresses with one used by the attackers.  

While the total losses from this attack are unknown, the incident highlights the risks associated with using third party scripts on pages where financial data is input, transactions are made, or other sensitive data is processed. Malicious injection of JavaScript via third-party code has also been used to harvest payment card data from online checkout pages through a technique widely referred to as “MageCart”.  

With the approach of Christmas, cyber criminals are likely to capitalise on increased levels of expenditure and financial transfers made online. This technique will almost certainly remain a viable way of doing so. The NCSC has previously published guidance for website owners and third-party developers in relation to attacks using JavaScript modification.