Bitcoin Forum

https://www.newsbtc.com/2019/01/31/cryptocurrency-scam-mac/

"The software steals credentials, including browser cookies, to allow access to cryptocurrency exchange accounts. CookieMiner, as the malware is known, targets exclusively Mac users owing to the cross-device functionality of Apple’s products.
In addition to stealing login details and creatively subverting security precautions, the CookieMiner malware also uses the victim’s machine to covertly mine an obscure digital asset called Koto.
...
Google Chrome and Apple Safari cookies are stolen.
Saved usernames and credit card information from Chrome are stolen.
Text messages backed up to Mac are stolen from victims’ iPhone.
Browser cookies are stolen to defeat login anomaly detection.
...
With this combination of login credentials and cookies, attackers can often bypass the two-factor authentication process protecting accounts.
...
CookieMiner also installs mining software on the infected machine. Palo Alto Networks claim that the program is made to look like a piece of Monero-mining software. However, instead of mining the most frequently cryptojacked asset, it sets Mac users’ machine mining Koto, another privacy-focused cryptocurrency associated with Japan that can be mined using just a CPU."

It is very alarming news for the general people who use Internet from PC, or Android. If Google Chrome isn't enable to protect such maleware, it is shocking. I think Google Chrome will detect this maleware soon.

Looks like it's more about Mac. It steals cookies, quite smart but it will only work if users choose to save cookies or something similar. A way to protect from this attack would be to always disable cookies, and avoid any malicious software. Let's hope Mac will be able to solve this issue soon.

Btw, this makes me think switching to GNU/Linux is one of my best choices in life.

that is why "encryption" exists!
you encrypt everything with a password and nobody is going to be able to have access to your data that easily. for example in this case you can encrypt your stored passwords in your browser with a master password that they allow you to set. that way the passwords are stored on your disk encrypted. for example using Firefox you can go to your setting and type in "master password" in the settings search bar and check its box and set a strong encryption password:

Interesting I didn't know firefox can do this. Do we have the same option for google chrome?

there is no such option for Google Chrome as far as i know and last time i checked they don't seem to have any plans on adding the feature either because they think it is not going to increase your security! there are extensions you can use but then again trusting these extensions is another problem.

sorry if this is a dumb question, but how exactly does this compromise 2FA?

all of the compromised data is browser-based (something you know, not something you have), with the exception of "stolen text messages". but old text messages shouldn't overcome SMS 2-factor authentication because those one-time codes are only good for a very limited time. and if you use TOTP-based 2FA, you should be completely safe.

can somebody walk me through this?

Good question and very relevant,, there must be something else to it.

Personally I have never used Chrome and I didnt fall for the "convenience"
of using it at the expense of compromising privacy.

Chrome allows third-party websites to access your IP address and any
information that site has tracked using cookies. If you care about privacy
at all, you should ditch the browser that supports a company using data
to sell advertisements and enabling other companies to track your online
movements

I have always used Firefox in private mode, I dont allow Firefox to store
my browsing history. This is something the Mozilla foundatuon have
always based the operations on.

We do not collect personally identifiable data, not what you do or what
websites you go to

https://www.fastcompany.com/90174010/bye-chrome-why-im-switching-to-firefox-and-you-should-too

I wonder why it is targeted solely to apple users, android users could surly
be targeted too?

This is so unfortunate that the bad apples are working so hard to undermine mass adoption and make it very difficult for the average Joe Bloggs to enter crypto. Instead of being useful and becoming advocates for change and helping people join this big technical revolution, they prefer to work hard just for quick gain and out of malice to make sure less and less people want to join this niche market. Many newbies are frightened off because of this attitude from rogue entities and it scares them entering this space. I do hope that cyber police become more and more vigilant in catching these nasty people who are trying to undermine crypto and the blockchain for normal users and investors.

This is alarming, 2FA is the additional step to secure our accounts in exchanges and online wallets. Now, it can be comprised which mean hackers are able to access our accounts easily.   :'(

One are the other way we all are dependent on third party like crome or safari... I thinking data being leaked from chrome and safari is the trust issue... This a horrible new :-\

Hardware wallets are the only option to secure your funds

When you find something alarming it's our responsibility to make ourself active in the process of securing our funds. In the past I've lost more than 0.5btc due to the security breach, as I haven't enabled 2FA. Once after enabling I never found anything go wrong. Now the news to defeat 2FA shows the increased hackers into the cryptocurrency network. Right now it seems hardware wallet is the best in the market for Cryptocurrency holdings.

This development is very alarming, exchanges should start to offer 3 factor authentication. Those who trade big might have several bitcoins left on the exchanges to day trade.

such development is super alarming! most of the users trust 2FA - now those days are gone!

That is nice thanks for sharing
It can be very good to use it
I have been reading that together with new IT technology we will also have new much improved hacking methods unfortunately it is going together
So good move is to use encryption for protection
Personally i don't like to  use any extension in my browser
I can recommend you to try Proton VPN i use his VPN long time and i am very happy also because i have better internet with his vpn
You can even pay with btc for upgrading version only 46 euro a year

If found another article  (https://www.whizsec.com/blog/cookieminer-mac-malware-steals-from-cryptocurrency-wallets/), and it says that stolen cookies can be used to fake the identity of victim's machine, and thus login without a 2FA check on some sites. However, there are still a lot of unexplained details, like how they avoid 2FA checks on withdrawals, how do they spoof IP address and so on.

It's an interesting topic and people who have very important online accounts, like traders, should definitely check it, so here's some links:

https://security.stackexchange.com/questions/178663/why-isnt-stealing-cookies-enough-to-authenticate

https://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s

Maybe on some sites you can remove 2FA if you have access to the email, and if this malware can give access to victims email, they can get all the control they need.

I know this option is enabled in Firefox, and it make sense to set master password., But user need to enter that master password only once per session (first time Firefox is open), and then all passwords are available. From the aspect of security how much is passwords safe from hack after user is unlock passwords with master password?

I see Google Chrome offer password manager, but I do not see any mention of master password as Firefox...

https://support.google.com/chrome/answer/95606?co=GENIE.Platform%3DDesktop&hl=en

For you to get access on google chrome you should have the intelligence of thousands of website developers and programmers.For someone to steal someone's phone saved information there must be a bait or device control. Hijacking can be done using finest computer with program on it and i don't think just someone could do that to leading technology companies more of like movie twists.

more and more viruses are spread by hackers who try to steal assets owned by cryptocurrency users, and preferably when you want to access your wallet or place of exchange you have to be more careful and not be careless.

Thank you for the warning. It is a strong battle between the hackers and users like us. Please stay safe everybody and be careful when clicking on hyperlinks and downloading stuffs. Stay safe and let’s win the battle against the hackers and scammers.

is it true?i think 2FA authentication is made for make people that want to hack the account can't hack it because it will use another applications or another platform t make a verification of the owner of that wallet or that account, so if this is real i think we should makes another ways to makes a verification for owner

It is one of the factors why there are people who are afraid to enter the market. They are afraid to lose their money due to the hackers that are so skillful. Hackers are always finding a way for them to hack cryptocurrencies in all over the market. If we can only stop them, the mass adoption will happen.

I think they should do something about how to prevent the malware from getting into our funds. And do a free service that will make us secure, and our funds secure where we don't have to purchase a hardware wallet because not everyone can afford that yet. I hope they do something about this right away.

Is the hacking race, always hacker will develop new tools and them with work until someone develops a patch, that's how this world works. The crazy fact is the attacking vector, 2FA and MacOS, That's what has me amazed because those were two important security factors and fun to see how they are the vuln.

Thank you kenzawak for opening this kind of discussion. It is an eye opening.

pooya87 and aoluain thank you also for answering with web browser hacking and what should be used for security and you both have the same answer into what is most advised as a great browser.

Now, I am uninstalling my chrome. I am not really into digging about browser but this is an eye opener although it aint the target of the thread.
I believe 2FA aint that easy to be hacked. Just changing a smartphone and also reporting the change will give you a hard time, what more into hacking it.
I passed all my documents just so I could get it back and it took 2 days for me to recover it all. I believe that is how secured it is.

How can it beat the 2FA if your primary source of the Authenticator is the application downloaded in your phone? The cookies and stuff aren’t applicable here. I don’t understand why would one use browser again to store anything related to 2FA.

To be honest,  between hackers and regular users that is not even a battle. Hackers win easily.

This malware affects Mac users but don't think that because you're not using a Mac you're safe from a 2-factor authentication bypass. Using phishing links, an attacker can also bypass the authentication by using the real website but acting as some kind of intermediary between you and the website, so you are getting the real code and submitting for the hacker to be have access.

A really good attacker wanting you to click a link will most likely make you click a link. The rate of people who falls for that simple attack vector is incredibly huge.

Malware and security will always be at an arms race to defeat each other.  No matter how secure we think we are all it takes is one genius to crack the puzzle and we are screwed.  Also no matter how good your digital security is you are still prone to a physical wrench attack.

It will be a continuous battle between, this news is really alarming and needs to be well understood, hackers are always finding ways to penetrate
and if we give them a little chance they will attack quicker than we think that we are well protected, it's best to always be updated and take things
seriously to learned more prevention regarding to this concern.

you don't really need to be an expert to be pretty safe. of course 100% safety is impossible no matter what you do and how "expert" you are but even a "regular user" with basic understanding of computers can be as safe that he/she never loses anything ever in his entire life. there are just certain precautions that you have to always take like not downloading or even visiting sites with anything fishy in them. keeping your secrets password protected,...

Faking the identity of the victim's machine will not make you bypass 2FA, I have 2FA setup on all my exchanges and I always asked to enter my 2FA and I never changed the computer I am using with my exchanges, also in some exchanges like Bittrex I always have to confirm by email+2FA if my Ip changed. I don't see in the article any mentioning about the way the attackers get bypass 2FA and if they are talking about the old one-time text message it still can't be done because it is only valid for one-time logging and for a limited time.

I think this is just the same with Google Chrome, they do have incognito mode which is basically similar to what you have said. Incognito never store your passwords, cookies, and history of your browser. And i think personally the biggest difference between these two is just how the processing of these two is much more different. Chrome is way faster than Firefox in terms of quick response, IMO.

It doesn't. What this malware does is try to take advantage of the session that is already open. He tries to fool the website by saying it's just a continuation of the last login.

Hacker could not type 2fa again. Since the combination expires fast. It would take advantage of the last numbers entered or the open session.

But most serious sites ask for 2fa again depending on the ip used.

This is terrible. No matter how we try to protect your funds, there are still new ways to hack your wallets and accounts. Now I'm even more worried about my money.

thanks for the explanation. i think i get it now. it didn't occur to me that hackers were duplicating an existing session using the stolen cookies. it's still not an easy attack to pull off since the attacker needs to spoof the IP address (and other parameters) from the original session, but it's good to be aware that this can happen. it definitely makes a strong case for requiring 2FA on withdrawals (email confirmation and TOTP) in case your session gets hijacked like this.