Researchers at SecureMac have warned that they have discovered malware that steals Bitcoins which is being distributed via CNet’s popular Download.com website and MacUpdate (a rival to the official Mac App Store).
The malware, named OSX/CoinThief, steals information related to users’ Bitcoin wallets and keys, and is said to have been found in trojanised versions of Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit, and Litecoin Ticker. (Litecoin is an alternative digital currency)
CoinThief installs an extension into its victims’ Firefox, Chrome or Safari browsers, monitoring web traffic and attempting to intercept login credentials sent to many of the online Bitcoin exchanges and wallet sites. The information is then sent back to the malware authors via a remote server.
In an attempt to cover up its activity, the browser extensions disguise their true intentions by adopting innocuous names like “Pop-up blocker”, and use generic descriptions such as “”Blocks pop-up windows and other annoyances.”
Because of this, even if you didn’t remember installing the extension, chances are that you wouldn’t necessarily have your alarm raised.
Clearly someone was able to dupe MacUpdate and CNet’s Download.com into accepting the bogus versions of the software, helping the online criminals to spread the malware to a wider audience.
Hopefully they will be more careful about vetting submissions in future, and will make efforts to confirm that developers and companies submitting software to their libraries are really who they say they are.
Mac users, of course, are something of a soft target as many of them still do not run any form of anti-virus software.
And without decent anti-virus software, what chance would the typical Mac user have against this Bitcoin-stealing malware?
Hang on to your hats everyone. Criminals love to go where the money is. And as more and more people experiment online with Bitcoin purchases, you can be sure that some hackers will be looking long and hard at how they might steal the digital currency away from them.
Whoops. I've uninstalled this just now. What other actions are required to be safe?