Bitcoin Theft Traced Back to Malicious App

This week, Mac users from around the world discovered their Bitcoin wallets felt a little lighter than usual, as a new variant of the OSX/CoinThief.A bug made its rounds via CNET and their file-hosting subsidiary Download.com.

The app, disguised as a supposedly innocuous Bitcoin and Litecoin price ticker, first went live on CNET  in early December, and according to the stats available from the site has been downloaded approximately 60 times so far.

The trojan works by secretly installing extensions on Safari, Chrome, and Firefox, as well as running an invisible program in the back of the OSX architecture. It then lies in wait for users to login to the Bitcoin wallet or trading service of their choice, and records credentials as they pass through the system.

After the infected machine has logged out of their account, the hackers strike, logging in and lifting as many coins as they can hold on their way out the back door.

AV specialists close to the issue have also suggested that while Bitcoin is the primary target of the malware, it could also be used to steal credentials to your email or Facebook accounts if users aren’t careful.

“Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system.”

Since news surfaced about the issue, CNET has removed the program from their available download list, as well as informing anyone who pulled it down onto their computers that there has been a security alert and they should run their antivirus scans as soon as they receive the message.

SecureMac recently reported on a Reddit user who lost about 20 Bitcoins to the scheme, which at the current exchange rate totals close to $10,000 dollars overall.