Bitcoin Forum
December 01, 2024, 08:29:32 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5  All
  Print  
Author Topic: How I got robbed of 34 btc on Mt.Gox today  (Read 124877 times)
bitbully (OP)
Jr. Member
*
Offline Offline

Activity: 47
Merit: 1


View Profile
April 11, 2013, 10:44:19 AM
Last edit: April 22, 2013, 01:40:59 AM by bitbully
 #1

So at 10:06pm ET on April 10th 2013 I was on btc-e reading the chat box. Then and there someone posted a link to www mtgox-chat info (do not open unless you know what you are doing) claiming a video announcement that mtgox was going to start trading litecoins.

I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.



Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.

------------------------------------------------------------
Dear bitbull,
 
There has been a withdrawal from your Mt.Gox account:
 
Transaction reference: 97235bfd-9909-4020-9f06-e9d318c1ef7f
 
Date: 2013-04-11 02:06:22 GMT
 
IP: 198.203.29.120

You can access your account history for more details.

Please contact us as soon as possible by replying to this email if you did not request this withdrawal.

Thanks,

The Mt.Gox Team
------------------------------------------------------------

I immediately responded back to them, but what I discovered is that the withdrawal had been instantly processed and already confirmed in the blockchain:

https://blockchain.info/tx/bb30f2f110ba5b7bb60812bc3d7744f5086f6b4a38439566f1888a8d26e1fbec



which left less than a third of a bitcoin in my account. I then realized that this withdrawal happened at the EXACT time i accessed the mtgox-chat website based on my browser history. I then realized that I only received my notification email from them much after the fact apparently because their servers are overloaded and not functioning correctly.

Being a techie, I started researching. I found out that this site is hosted here in the USA. I also found out that the withdrawal was submitted from an IP in Los Angeles even though I have been accessing mtgox from Pennsylvania / New York. I then discovered that the site is a teleport pro rip of bitcoincharts.com branded with a mtgox logo, and was registered on namecheap (with bitcoins as it may be) not even 5 days ago! This is the IP resolve of the domain name.



I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started. It also contains an additional keylogger payload, all customized specifically for mtgox. They even "offer" an easy to use file download link for those whose browsers are not running java. This script INSTANTANEOUSLY initiated a mtgox withdrawal of nearly all my btc (34btc) in the background (I was logged into mtgox on that browser, seemed to be using some form of proxy to access my browser cookie cache it would seem) and then changed the account password so I couldn't login anymore. This was proven to be 100% automatic as the withdrawal occurred the same exact minute I accessed that website for the first time.

It then continued to gather all my computer passwords and logged everything I was doing including my blockchain account (as I eventually located the log files) and then sent it to the hackers / script kiddies.  Luckily I have dual password protection on my blockchain wallet otherwise all my other bitcoins would be gone too. I wouldn't just call them just script kiddies because this script was very specific and well written for the mtgox website.  I had two antiviruses running and neither caught it. Only later malwarebytes picked it up as a well encoded trojan payload executable.



Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...

This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!

Any advice is very much appreciated.


UPDATE 4/21/13

I got my coins back Smiley

https://bitcointalk.org/index.php?topic=173227.msg1907593#msg1907593

But other's are still suffering. 

http://www.reddit.com/r/Bitcoin/comments/1cokps/java_exploit_stole_all_my_btc/

I'll be the first to buy a hardware wallet...
ripper234
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
April 11, 2013, 10:45:29 AM
Last edit: April 11, 2013, 11:21:51 PM by ripper234
 #2

FYI, I know bitbully and respect his analysis.

I expect Mt. Gox to come up with an analysis and refund him and any other affected clients.
bitbully - I advise emailing a link to this thread to Mt. Gox support.


The above is true if the attack resulted from a case of XSS or other similar attack vector, that would imply negligence on Mt. Gox's part. If the attack is simple keylogger/trojan based that replays user credentials, I take it back.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Zaih
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500


View Profile
April 11, 2013, 10:48:48 AM
 #3

Wow, well that seriously sucks. I guess there's still hope that Mt. Gox will help you out. I wouldn't count on it though :@
doobadoo
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 11, 2013, 10:54:47 AM
 #4

Internet explorer?

Use firefox with noscript, would have probably prevented xss.  As for the 0day javascript exploit, no script will save your bacon their two, only allow scripts you can identify and trust.

That keylogger it ran, was it actually installed to the system or was it just running in the browser?  Boy thats win 8 for ya.

change ur email and banking passwords. after you've done a clear install.

consider linux or os x

"It is, quite honestly, the biggest challenge to central banking since Andrew Jackson." -evoorhees
Andrew Vorobyov
Hero Member
*****
Offline Offline

Activity: 558
Merit: 500



View Profile
April 11, 2013, 11:02:54 AM
 #5

"MtGox security" Season 02 Episode 01
ripper234
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
April 11, 2013, 11:07:32 AM
 #6

Posted this to a separate thread on reddit.

http://www.reddit.com/r/Bitcoin/comments/1c4m6q/watch_out_0day_exploit_stealing_mt_gox_funds/

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
bitbully (OP)
Jr. Member
*
Offline Offline

Activity: 47
Merit: 1


View Profile
April 11, 2013, 11:07:58 AM
 #7

Thx doobadoo for the advice.

Moved to a clean system until I wipe infected one, all passwords reset, was using chrome and win7 and you don't have to tell me I know the risks of using Microsoft. I'm on top of my security, always have been but this trojan was well crafted, I mean when the incentive is there you'll have the entire online underground mafia programming these things. These guys must be making a killing. I think the payload was both a browser java instance and custom keylogger executable. But I'm not an expert all I know is the second I clicked on that site my bitcoins were withdrawn near instantaneously, and I had mtgox.com open and logged in on another tab.

Crossing my fingers mtgox will help.
Severian
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250



View Profile
April 11, 2013, 11:11:20 AM
 #8

Sorry to hear.

Friends don't let friends use Windows + Bitcoin.
octopus
Member
**
Offline Offline

Activity: 103
Merit: 10


View Profile
April 11, 2013, 11:13:51 AM
 #9

Are you sure you didn't run a Java applet? Because that's pretty much the same as running an executable file, and in that case, your negligence can't be blamed on MtGox.

I have a strong feeling it was a Java applet, because XSS can't install trojans on to your computer without an additional attack vector.

Sorry, but this seems to be mostly due to your own negligence. I know it's hard to hear. Sorry dude Sad

ingrownpocket
Legendary
*
Offline Offline

Activity: 952
Merit: 1000


View Profile
April 11, 2013, 11:24:56 AM
 #10

It's impossible that all this happened just for entering that website.

1) You installed something from that site.
2) Or; You gave it extra permissions to run something on your browser.
Rampion
Legendary
*
Offline Offline

Activity: 1148
Merit: 1018


View Profile
April 11, 2013, 11:31:31 AM
 #11

It's impossible that all this happened just for entering that website.

1) You installed something from that site.
2) Or; You gave it extra permissions to run something on your browser.

This.

Or A LOT of people is in deep shit.

Anyhow: 2 Factor Authentification is a must.

🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
April 11, 2013, 11:32:46 AM
 #12

It's impossible that all this happened just for entering that website.

1) You installed something from that site.
2) Or; You gave it extra permissions to run something on your browser.
Look at the site.

JAVA.
ingrownpocket
Legendary
*
Offline Offline

Activity: 952
Merit: 1000


View Profile
April 11, 2013, 11:41:01 AM
 #13

It's impossible that all this happened just for entering that website.

1) You installed something from that site.
2) Or; You gave it extra permissions to run something on your browser.
Look at the site.

JAVA.
Chrome asks permission to run Java.
#2
doobadoo
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 11, 2013, 11:54:41 AM
 #14

Are you sure you didn't run a Java applet? Because that's pretty much the same as running an executable file, and in that case, your negligence can't be blamed on MtGox.

I have a strong feeling it was a Java applet, because XSS can't install trojans on to your computer without an additional attack vector.

Sorry, but this seems to be mostly due to your own negligence. I know it's hard to hear. Sorry dude Sad

Are we sure the trojans have anything to do with the attack? He may just be coincidentally ALSO infected by some trojans from some bad software he d/led and installed. He says the coins were tx instantly when he clicked the poisoned link.  That smells like xss.  he was logged in to gox, executed some bad javascript and that script injected it into the gox script running in the next tab and transferred whatever coin he had in gox to a withdrawal address.  No need to upload account credentials, just grab whats there. 

"It is, quite honestly, the biggest challenge to central banking since Andrew Jackson." -evoorhees
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
April 11, 2013, 12:02:43 PM
 #15

There's really no evidence here that this is Mt Gox's fault. Most likely, it's an exploit that takes over control of the browser. If you had a Mt. Gox window open, it can read any information or click any links that you can. The vulnerability is most likely in your JVM or in your browser. (Unless it's an XSS thing, in which case it could be at least partially Mt. Gox's fault, but honestly I think that's less likely.)

Of course, that's not to place any blame on you. Yes, you could have run the browser in a VM you only use for Gox and close it any time you're going to do anything else and sweep your computer for malware before you open the VM and keep the VM encrypted and ....

But then basic stuff would be pretty incredibly hard, wouldn't it?

Quote
I had two antiviruses running and neither caught it.
It's the job of these antiviruses to protect you from malicious stuff like this, and they failed you. Of course, providers of antivirus software take no responsibility for the reliability of their software.


I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
Rampion
Legendary
*
Offline Offline

Activity: 1148
Merit: 1018


View Profile
April 11, 2013, 12:14:40 PM
 #16

It looks like the thieves have stolen 72.38 BTC in just one day. Not bad, who says that crime does not pay?

FiloSottile
Newbie
*
Offline Offline

Activity: 11
Merit: 0



View Profile WWW
April 11, 2013, 12:16:24 PM
 #17

I'm really sorry for what happened to you, but here it's not Mt. Gox fault.

There's no threat model that can take complete client compromise into account, except maybe dual-factor auth on any withdrawal, but even that would only protect you until you make an authenticated operation, then the attacket can fake the pages so that you think you are sending a BTC to someone and instead you are sending all to them.

To get an idea of how unsafe is running untrusted Java hang around here http://java-0day.com/
Always use click-to-play, and well, don't click.

My only suggestion here can be: use exchanges as exchanges, and keep a nice offline wallet for savings. Seriously, it's easy, you don't have to trust the site and it doesn't get hacked. You can have one for 35$ (https://gist.github.com/FiloSottile/3646033)
bitbully (OP)
Jr. Member
*
Offline Offline

Activity: 47
Merit: 1


View Profile
April 11, 2013, 12:27:12 PM
 #18

Thanks for the input guys. I know that my software choices in life may have made me more vulnerable to such attacks. But all the technical details aside, it's CLEAR that this site is built and targeted methodically at mtgox users, and that these perps are doing their best to attack mtgox users however they can. Whether that means through phishing scams, xss, keyloggers, java exploits, human social engineering, etc... mtgox should take a proactive role in curving these attempts.

The reason I chose mtgox is because they are the biggest and most well known. My assumption is that I would be insured against such common hacking tactics. They are holding massive amounts of wealth and just like banks, forex companies, and paypal, mtgox should bare a certain degree of responsibility for hacked accounts. I don't think we can expect the masses to adopt bitcoins if they need to have a degree in IT security just to protect their funds, none the less in a hosted soft wallet environment.
Dervie
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
April 11, 2013, 12:46:33 PM
 #19

Lol, I guess my attempt to get the virus detected by more than 16/42 antiviruses didn't help huh? As soon as I saw the website posted in the chatbox, I immediately warned people NOT to go on it and the user was banned for 3 days. Oh well, now you know.
drawingthesun
Legendary
*
Offline Offline

Activity: 1176
Merit: 1015


View Profile
April 11, 2013, 12:49:06 PM
 #20

Please don't blame MtGox, this is what you accepted, you allowed a Java executable to run and gave it permission to run outside the sandbox.

https://news.ycombinator.com/item?id=5531507
Pages: [1] 2 3 4 5  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!