starik69 (OP)
Legendary
Offline
Activity: 1367
Merit: 1000
|
|
April 11, 2013, 11:01:54 AM |
|
did you click any links in the btc-e chatroom, or other bitcoin chatrooms while logged into blockinfo?
Yes, that could have happened.
|
|
|
|
doobadoo
|
|
April 11, 2013, 11:09:20 AM |
|
did you click any links in the btc-e chatroom, or other bitcoin chatrooms while logged into blockinfo?
Yes, that could have happened. BINGO! You caught a javascript keylogger, or a script the performed a cross site scripting attack, pulled your wallet out of the jscript running while you had blockchain.info open in another tab.
|
"It is, quite honestly, the biggest challenge to central banking since Andrew Jackson." -evoorhees
|
|
|
doobadoo
|
|
April 11, 2013, 11:13:59 AM |
|
when logged into a bitcoin site that contains your balance run FF with NoScript addon installed (set it to bans scripts globally), then "allow" the ones that are needed for gox and blockchain info, all others shall be banned. Bitcointalk.org is safe too. Your banking site scripts are ok. google.com is okay and might need to be allowed too. everything else by default will be banned.
Use that browser only for your financial stuff. Browse in chrome for everything else. Consider linux or os x. you can buy a $50 external usb hdd and install some kind of linux on that (or repartition your boot drive if your good at stuff like that). Just run bitcoin on that linux install and run all the security patches. Use FF on that, just like i told you.
|
"It is, quite honestly, the biggest challenge to central banking since Andrew Jackson." -evoorhees
|
|
|
z12
Member
Offline
Activity: 63
Merit: 10
|
|
April 11, 2013, 11:24:20 AM |
|
Now that you mention it, i just checked my browsing history The suspicious websites i visited in last week: Cryptocoinexplorer.com <= i clicked this from btc-e bitcoin.clarkmoody.com bitcoinrush.p4o.net zerohedge.com xcannabis.com wallet.litehosting.eu thebitcoinchannel.com coinad.com cryptocoincharts.info kamikaze.litecoinland.com litecoin-store.com litecoingames.com litefaucet.com m-obmen.com medium.com minecraftcc.com otn.dsparking.com weusecoins.com These are the domains i visited from last week which i don't instantly trust, Some of them are well known btc/ltc services... Though my blockchain wallet wasn't touched and i still have my 0.0000105 btc (!) but i lost access to my btc-e account .. Could one of these install a keylogger on my computer? i don't think so Edit: Also, i'd like to include that i use lastpass autofill feature to login, i don't think a normal keylogger could log lastpass logins.
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
April 11, 2013, 11:27:48 AM Last edit: April 11, 2013, 12:52:46 PM by TradeFortress |
|
Would have to be XSS [or other malware].
|
|
|
|
starik69 (OP)
Legendary
Offline
Activity: 1367
Merit: 1000
|
|
April 11, 2013, 11:32:22 AM |
|
BINGO! You caught a javascript keylogger, or a script the performed a cross site scripting attack, pulled your wallet out of the jscript running while you had blockchain.info open in another tab.
I guess if it was a script after reloading os and clearing browser cache it must be gone?
|
|
|
|
uMMcQxCWELNzkt
|
|
April 11, 2013, 11:38:23 AM |
|
Perhaps it is also possible that you visited a cloned website with a slightly different Domain? This kind of scam happens all the time with Paypal and even student loan websites.
|
|
|
|
starik69 (OP)
Legendary
Offline
Activity: 1367
Merit: 1000
|
|
April 11, 2013, 11:56:11 AM |
|
No, sure it was original site.
|
|
|
|
whiskers75
|
|
April 11, 2013, 12:05:25 PM |
|
Yes, I can confirm being hacked. Well, I have 0.1 BTC in Pyramining, so I just need to hit the owner up for that.
|
|
|
|
Logik
|
|
April 11, 2013, 12:14:44 PM |
|
Nobody has their password 'hacked'. You get exploited through a 0 day through Java or Flash in your browser, or through a file download, and then the program just sits and waits.
- Never re-use your blockchain password for anything else. That's just silly.
- Enable 'click to play' on all browser plugins. There is no pure JavaScript exploit, only browser plugin exploits. Enable browser plugins by default = you're hacked
- Enable one time password 2 factor auth to your PHONE. Not your @#$% email. That's completely redundant. If someone has access to your machine then they have access to the email. No 2 factor to your phone = you're hacked.
If anyone is hit by this then the malware is still going to be on your computer so you need to nuke it from orbit or buy a new computer.
|
|
|
|
Logik
|
|
April 11, 2013, 12:16:55 PM |
|
A XSS attack on Blockchain.info is possible but would be WAY more serious and so bad to the point of me thinking it shouldn't be possible.
The only other possibility is a compromised browser extension (chrome app) but it's slightly far fetched.
|
|
|
|
starik69 (OP)
Legendary
Offline
Activity: 1367
Merit: 1000
|
|
April 11, 2013, 12:18:20 PM |
|
You get exploited through a 0 day through Java or Flash in your browser Flash and java were disabled. - Never re-use your blockchain password for anything else. That's just silly. Password was unique.
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
April 11, 2013, 12:18:29 PM |
|
A XSS attack on Blockchain.info is possible but would be WAY more serious and so bad to the point of me thinking it shouldn't be possible.
The only other possibility is a compromised browser extension (chrome app) but it's slightly far fetched.
Pretty sure it's Java now.hmm? Was notifications enabled?
|
|
|
|
JJJJust
Newbie
Offline
Activity: 33
Merit: 0
|
|
April 11, 2013, 12:30:46 PM |
|
I just recently (a week or so ago) wiped and reinstalled Debian, haven't logged into my blockchain wallet on my PC since then... and still got my fraction-of-a-coin swiped. Not sure I buy the XSS explanation.
|
|
|
|
starik69 (OP)
Legendary
Offline
Activity: 1367
Merit: 1000
|
|
April 11, 2013, 12:43:45 PM |
|
hmm? Was notifications enabled?
No, in my case only security option was password.
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
April 11, 2013, 07:35:57 PM Last edit: April 11, 2013, 08:01:47 PM by casascius |
|
I know someone personally whose blockchain.info funds ended up directly as a txin to this transaction, who wrote me an e-mail today complaining that his 4 or so BTC disappeared.
From the looks of the transaction, one of the txin's belongs directly to him, and none of the others are part of his wallet. Funds went straight from his address directly into this combined transaction. In other words it looks like his private key was stolen right out of his account, rather than someone sending funds directly from his account using the web UI.
I wonder if he had a weak password and the encrypted database of blockchain.info wallets has been compromised? Normally with a keylogger you'd expect somebody to go and log into accounts one by one and steal funds by hand as the accounts are discovered. The fact that this is a huge combined transaction suggests to me something more sophisticated than that!
EDIT/FOLLOWUP: I asked him if he would be willing to share his password with me for me to assess its strength against brute force hacking. His password was 14 characters but, in my opinion, would have been vulnerable to a dictionary attack. Makes me think somebody out there might have stolen encrypted wallets and is bruteforcing passwords.
ALSO: I have a small amount of coin in a BlockChain wallet with a deliberately weak password. I don't have the wallet identifier handy, but will soon. Will be able to check. It's a wallet I don't use much, so if it's still safe, it could indicate keylogger is more likely than database breach.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
starik69 (OP)
Legendary
Offline
Activity: 1367
Merit: 1000
|
|
April 11, 2013, 08:05:24 PM |
|
The fact that this is a huge combined transaction suggests to me something more sophisticated than that!
I agree, hacker definitely stole privkeys from blockchain addresses and used them to combine theft in one transaction.
|
|
|
|
MWNinja
|
|
April 12, 2013, 01:22:32 AM |
|
Did the ones that got hacked have an easily guessed alias? Dictionary attack on aliases would give an attacker a bunch of encrypted wallets to offline brute force.
|
|
|
|
zkay
|
|
April 12, 2013, 01:31:46 AM |
|
Not sure if it's related but I keep getting texts with my current OTP login code for blockchain when I'm at work or otherwise not even accessing the site. Typically it will only send those when it sees someone trying to access your login credentials.
Has anyone with 2FA been compromised?
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
April 12, 2013, 05:24:10 AM |
|
I use BlockChain.info all the time but my advice is: Keep Bitcoins On Paper Wallets!
Blockchain.info is great for transacting, but I simply don't trust web wallets. For trivial ad-hoc stuff, I will import a paper wallet, do my business, and send any change back to another paper wallet. Nothing against BlockChain.info, in fact I like that they make it so convenient to do what I want to do the way I want to do it (such as scanning bitcoin addresses thru webcam)... it's just... in my view, insane to leave bitcoins you want to keep, on a web wallet.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
|