Reports by a cyber security firm claim to have identified a piece of malware designed to beat the two-factor authentication commonly used to help protect various online accounts. The software steals credentials, including browser cookies, to allow access to cryptocurrency exchange accounts. CookieMiner, as the malware is known, targets exclusively Mac users owing to the cross-device functionality of Apple’s products.
In addition to stealing login details and creatively subverting security precautions, the CookieMiner malware also uses the victim’s machine to covertly mine an obscure digital asset called Koto.
Mac Users Beware: CookieMiner Malware Puts Cryptocurrency Traders at Risk
According to research conducted by Palo Alto Networks, a new piece of malware is targeting Mac users. The cyber security firm have nicknamed the attack “CookieMiner”. This is because the software steals cookies from a victim’s infected machine, along with covertly mining cryptocurrency to enrich those behind the scam – known as cryptojacking.
Since cryptocurrency exchanges use multiple layers of security precautions, a series of different steps are taken to gain access to accounts:
- Google Chrome and Apple Safari cookies are stolen.
- Saved usernames and credit card information from Chrome are stolen.
- Text messages backed up to Mac are stolen from victims’ iPhone.
- Browser cookies are stolen to defeat login anomaly detection.
CookieMiner’s primary purpose is to gain access to Mac users’ accounts at popular digital currency exchanges. However, since exchanges make use of heightened security procedures when users login, their credentials alone are not usually enough to compromise an account. That is why CookieMiner also attempts to trick the exchanges’ automated account protection procedures by also stealing browser cookies. These are used to ensure that the device used to sign in is not flagged as suspicious, even though the account’s owner will never have used that device before.
With this combination of login credentials and cookies, attackers can often bypass the two-factor authentication process protecting accounts. This gives them full access to any cryptocurrency the victim has stored at the compromised exchange account.
CookieMiner Also Mines Cryptocurrency on Behalf of its Victims
Since the malware provides no guarantees of revenue for those behind it, CookieMiner also installs mining software on the infected machine. Palo Alto Networks claim that the program is made to look like a piece of Monero-mining software. However, instead of mining the most frequently cryptojacked asset, it sets Mac users’ machine mining Koto, another privacy-focused cryptocurrency associated with Japan that can be mined using just a CPU.
Of course, this is hardly the first example of cryptojacking SunshineCrypto has reported on. Previous example have included efforts by North Korean hackers to earn revenue outside of typical international trade, which the rogue nation is largely excluded from. There is, however, no evidence as of yet to suggest that the CookieMiner attack is related to these past examples.
Featured Images from Shutterstock.