How I got robbed of 34 btc on Mt.Gox today

[Rampion]

What part is the fail? or everything I guess? To others and to you maybe.

I also use Deep Freeze. Turns my whole computer into it's own sandboxed VM, so any malware disappears on reboot.

Not having 2 Factor Auth when dealing with MONEY is FAIL.

You have very long random passwords? There's many other ways to compromise a system, both server or client side. Only truly secure way is 2FA

You use Deep Freeze? Not secure at all. Did you read the OP? Deep Freeze will do nothing to protect you from certain attack vectors.

[PuertoLibre]

Thx doobadoo for the advice.

Moved to a clean system until I wipe infected one, all passwords reset, was using chrome and win7 and you don't have to tell me I know the risks of using Microsoft. I'm on top of my security, always have been but this trojan was well crafted, I mean when the incentive is there you'll have the entire online underground mafia programming these things. These guys must be making a killing. I think the payload was both a browser java instance and custom keylogger executable. But I'm not an expert all I know is the second I clicked on that site my bitcoins were withdrawn near instantaneously, and I had mtgox.com open and logged in on another tab.

Crossing my fingers mtgox will help.

What is Yubikey? How does one go about enabling 2 step authentication?

[zeroday]

To anyone - be careful, It's still not detected by the most of antiviruses.
https://www.virustotal.com/en/url/bd2178330605ace1a5d050b0a45aecfcd4ef0a751d0b8ae40cc35e796c58f42b/analysis/1365696137/

Sun Java still have non fixed vulnerabilities. Use FlashBlock and NoScript add-ons for Firefox. Don't use IE.

[mrb]

their site is not secured against such rudimentary attacks

Very sorry about your loss. However: there is nothing else that MtGox could have done to secure against such rudimentary attacks.

You got owned by a Java exploit which can apparently execute arbitrary code on your computer. So it can log in as you on mtgox.com and do everything that you can do yourself. Even if you had no active session on MtGox, and were using the Yubikey to authenticate, the malware would still have been able to steal your coins: it could have stayed in the background, waiting for a browser session to mtgox.com to be active before hijacking it to perform the transfer. Maybe it could even have installed a persistent malware on your PC that would start running at boot time and wait for you to log in, one day, with a Yubikey, before stealing the coins.

Note: by default MtGox utilizes the Yubikey for logins only, not for transfer operations, but it is possible to configure your account to require it for transfers. You should have enabled this feature.

[k9quaint]

OP ran Java in a browser.
OP clicked on a link from some random internet personage.
Everything that followed was a logical result of these two actions.

[moni3z]

Actually this is 100% your own fault. You screwed yourself by clicking on anything in the btc-e trollbox which is basically where all of antichat.ru go to steal coins from the low hanging fruit running java enabled browsers.

[juice]

noscript will help as long you know what to allow

also you could use a mandatory vm to surf the web

[doobadoo]

I use Windows XP and Firefox. I don't get virus'd often, or very rarely, and usually is because I intentionally run something I'm not supposed to. Although two factor authentication is nice, I find that I personally don't need it, since I never access any important sites insecurely, and all have good long unguessable passwords.

Recommend you harden FF a little.  Disable the java plugin  (tools addons).   Make sure you are running the newest FF.  Install Noscript and disable javascripts globally before accessing the Gox.  You can then "allow" each javascript one at a time from the sites you recognize.

while not goxing/blockinfo walleting, you can enable javascript globally.

Also, don't let the link to your cloud wallet touch your clipboard.

NoScript has a built in xss deterrent, not perfect, but it tries to sandbox all the javascript so that jscripts from different sites cant communicate.

[moni3z]

Easy guide to not being robbed of all your coins:

- USE 2-FACTOR AUTH
- install noscript addon in browser and only enable trusted sites
- don't click anything in the trollbox
- download and install Common Sense 2013 to prevent yourself from clicking random email links too

[InqBit]

Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...

This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!

Any advice is very much appreciated.

Sorry for your loss, but no, Mt. Gox should not refund you for your losses. You pretty much violated every tenet of online security and got caught in a phishing net in doing so.

[420]

Internet explorer?

Use firefox with noscript, would have probably prevented xss.  As for the 0day javascript exploit, no script will save your bacon their two, only allow scripts you can identify and trust.

That keylogger it ran, was it actually installed to the system or was it just running in the browser?  Boy thats win 8 for ya.

change ur email and banking passwords. after you've done a clear install.

consider linux or os x

are you saying theres a windows 8 fault?

[Raoul Duke]

Só, you stupidly run a java programa on your browser and end up with your mtgox credentials compromised and now Mtgox should reward your stupidity?

Right...

[deepceleron]

If your computer is compromised by a remote exploit allowing arbitrary code execution, you should pull the machine offline, backup whatever data-only files you need from another system, and wipe and reload. It is near-impossible for the average user to detect or sanitize a hacked machine -  the computer can be rootkitted, have a remote access toolkit installed, keylogger, etc. and other things will fall such as stored passwords in web browsers, bitcoin wallet, personal files. Best pull the cat5 immediately.

Java has never not had 0-day applet vulnerabilities, it is broken by design, there's always new ones to be found. Best to kill it with fire.

[crazyfingers]

I also saw this link posted multiple times in BTC-E chat. After people pointed out the person was posting a virus, the moderator bans him for 1 HOUR. I think BTC-E must be getting kickbacks from this or something. I have seen people banned for DAYS for the harmless act of posting in all caps. But someone blatantly attempting to steal coins from BTC-E customers is allowed to try again in 1 hour, instead of being banned forever as they should have been.

Just the fact that they have that chatbox, especially on the trading page with no obvious way to disable it, shows what an unprofessional exchange it is. BTC-e is not to be trusted IMO.

[lucb1e]

If you are also a victim of this exploit, I might know someone who can provide more information. One of the exploits was hosted on a friend's site (he's aware of it, removed the files and related accounts, and is now looking at further options -- records of IPs and such are kept). I've already contacted the OP.

In case you want to start a legal procedure or something (because this is, at least in the jurisdiction the files were uploaded, both stealing and computer fraud), this kinda info might be useful. Send me a PM if you want to get in touch, and please explain your situation and why you want to get in touch. I'm not going to redirect lots of random people.
I can also relay messages and questions if you wish.

[mrb]

I also saw this link posted multiple times in BTC-E chat. After people pointed out the person was posting a virus, the moderator bans him for 1 HOUR.

They would have banned him longer and/or permanently, had the malware been stealing from btc-e.com accounts instead of mtgox.com 

[simplydt]

I'm sorry this happened to you. Hopefully this will help protect other potential victims. The hardest lessons in life are also the ones we remember the best. You will now never forget:

a) never follow links on the web unless you are absolutely certain that the site it leads to is trusted
b) never ever click something on a page that looks a bit dodgy

Just be thankful, that you learned this for about $4k, you could have easily lost $20-$50k+ if you had been careless in the future without having learned this lesson. Whenever I lose big amounts of money for a good lesson learned, I always remind myself that if I studied in the ivy league Id have lost $160,000+ But I didn't, so I have some buffer room for other real life mistakes!

[Herodes]

their site is not secured against such rudimentary attacks

Very sorry about your loss. However: there is nothing else that MtGox could have done to secure against such rudimentary attacks.

You got owned by a Java exploit which can apparently execute arbitrary code on your computer. So it can log in as you on mtgox.com and do everything that you can do yourself. Even if you had no active session on MtGox, and were using the Yubikey to authenticate, the malware would still have been able to steal your coins: it could have stayed in the background, waiting for a browser session to mtgox.com to be active before hijacking it to perform the transfer. Maybe it could even have installed a persistent malware on your PC that would start running at boot time and wait for you to log in, one day, with a Yubikey, before stealing the coins.

True, and that's one advanced piece of code, but there's people out there who would be able to pull it off..

[ripper234]

bitbully,

I'm sorry for your loss. However, I was under the impression this attack was an XSS style attack, which I would expect Mt. Gox to compensate you for if it were the case, since not properly defending against XSS attacks would be pure negligence on their part.

Still, you need to provide some evidence that this is an XSS and not just a keylogger/trojan.
If the attack is not XSS based, but simply involved a trojan stealing your credentials and replaying them to Mt. Gox, then the responsibility and fault for this attack is only yours (painful words to hear, I know).

Thanks for the input guys. I know that my software choices in life may have made me more vulnerable to such attacks. But all the technical details aside, it's CLEAR that this site is built and targeted methodically at mtgox users, and that these perps are doing their best to attack mtgox users however they can. Whether that means through phishing scams, xss, keyloggers, java exploits, human social engineering, etc... mtgox should take a proactive role in curving these attempts.

I don't think it's their job to do it. They need to make their site secure against the common threats like XSS, but they can't be held responsible for trojans running on your computer executing orders on your behalf. It's simply not their job.

The reason I chose mtgox is because they are the biggest and most well known. My assumption is that I would be insured against such common hacking tactics.

Really?

Mt. Gox is not a bank.
Assumption is the mother of all fuckups.

They are holding massive amounts of wealth and just like banks, forex companies, and paypal, mtgox should bare a certain degree of responsibility for hacked accounts. I don't think we can expect the masses to adopt bitcoins if they need to have a degree in IT security just to protect their funds, none the less in a hosted soft wallet environment.

Bitcoin right now is not ready for mass adoption. Better security like Hardware Wallets and insured Bitcoin Banks are needed. The potential gains for investors/speculators right now are there for the taking precisely because it's so hard.

[caffeinewriter]

As much as I would like to say that it's not your fault and turn my head to Mt. Gox to completely reimburse you, this was completely your fault.


Let's take a look at the red flags.

• The domain wasn't MtGox.com
• It was preying on your wants
• There was some random guy in chat bragging about it

The biggest thing is you allowed the Java to run.

But let's look forward to the future.

1. Always keep your Java updated.
2. Consider installing something like QuickJava for Firefox, or just outright disabling it in Chrome. Alternatively if you use IE, consider a blowtorch and sledgehammer.
3. Always think before you leap. Today, user interaction isn't required for most viruses to jump onto your computer and take control, except for that first step of going to it.
4. Drink more coffee. It's worked for me.
5. Like you said, add in two-factor authentication.

Welp, I'm off to set up a VM to deconstruct this exploit in. I'll report back if I find out any more technical details.