How I got robbed of 34 btc on Mt.Gox today

[Dabs]

Not having 2 Factor Auth when dealing with MONEY is FAIL.

You have very long random passwords? There's many other ways to compromise a system, both server or client side. Only truly secure way is 2FA

You use Deep Freeze? Not secure at all. Did you read the OP? Deep Freeze will do nothing to protect you from certain attack vectors.

Yes, it's more secure with 2 factor auth, but my personal experience has been more hassle than it's worth, and I regularly deal with thousands of dollars worth on other sites. However, it's the fault of the bank or site that does not offer 2 factor auth. It just so happens that I have no choice to deal with certain banks (in my country), and they don't offer 2 factor auth.

So what I do, when I have to access those sites, I restart my computer so anything that was there from random browsing is gone. Then I go only to those sites to do what I have to do. I believe I have the client side secured more than enough. I also believe the server side isn't as secure as I prefer it to be, but I can't do anything about that until they upgrade their systems.

Deep Freeze (and other similar stuff like sandboxie, return nil, etc) isn't meant to protect you from your own user initiated mistakes like clicking on links or running programs. I have it primarily to fix my system to my last known good working configuration every time. Updates to software like Firefox and OS are done manually, and usually after doing a reboot first.

I actually live relatively "dangerously" online. But I take responsibility for what I do. When I have to deal with someone else's money, I just have to be more vigilant about securing what I'm working on.

[darkmule]

I tend to live somewhat "dangerously" as well, but to allow Java to run, unbidden, from any web browser is foolhardy in the extreme.  I now no longer allow Java to run at all, except when I issue it from a shell command line (not as root) and with known software from a known source, just like allowing any other application to run.

[bitbully]

Thanks for the support everyone.

Just to reiterate, a java applet was never run, clicked on, or allowed to execute by me. I'm reading there was more than one attack vector in the page. There was a java initiated executable payload, which contained at the very least a keylogger - yet within seconds of clicking on the link the withdrawal was already initiated, leaving no time for the attacker to sniff my passwords and manually perform a withdrawal. The password was also changed after the withdrawal. Additionally there could have been a session token theft, or some form of XSS.

My understanding from two different IT security consultants is that mtgox's website security is sub-par. Instead of everyone trying to blame me or mtgox, perhaps the discussion should be about how we can stop this from happening in the future. I'm trying to make a point that however this trojan was crafted, it is very good at instantaneously emptying out your account. Someone could repackage it tomorrow and this whole story will repeat itself. No antivirus detects it, and it works directly with mtgox's site. I don't understand how some of you feel like this shouldn't be of concern to mtgox.

I'll be waiting for a response from mtgox, and will update if and when I receive a response. I do recognize however there is an uncomfortable situation over there right now, with bitcoin price going crazy, potential ddos attacks, thousands of new users in queue, under-staffing and system overloads. I mean their website isn't even loading right now and their pricing api isn't working...

Makes me real hopeful to see colored bitcoins and atomic swaps come to life.

I appreciate all those who are helping me both publicly and privately.

[forbun]

Is it possible for this exploit, or a similar one, to work on Mac OS X?

[bitbully]

Hey Frott,

You bring up a lot of good points. I'm not a expert with the terminology. The 0-day exploit was referenced in a post from 3 days prior:

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

and was suggested as a possibility of how the script was able to run automatically. Others have said my security settings were misconfigured.

I know the trojans detected by malwarebytes were from that site because AdobeUpdate-Setup.1.84.exe is the downloaded file from that site. It was definitely from that website and the file dates/times match.

I was able to grab most of the site but some files are missing so if anyone has a full rip please PM me. I have forwarded it to security researchers and they are reverse engineering it as we speak. So far we know that it was a "Dark Comet" keylogger, but thats only part of what I was able to grab, so until I get a hold of the rest of the site I won't know everything that was implemented.

I'm not claiming to know exactly how it worked, but what I do know is that it was fast, unexpected and painful. In the end I'm just happy that people are becoming aware of how easy it is to lose all your mtgox btc in the blink of an eye, and yes taking extra security precautions is a must and let this be a lesson to me and all others (Seems I'll be paying the tab this time...).

[forbun]

Are there any utilities that can continuously record the screen of my computer, so that I can go back in history and observe exactly what I saw in the past?

[Rampion]

Is it possible for this exploit, or a similar one, to work on Mac OS X?

Yes.

[lucb1e]

Are there any utilities that can continuously record the screen of my computer, so that I can go back in history and observe exactly what I saw in the past?

Safest bet is a camera. Or if you trust the malware not to quit the screen recording program, and I don't think it will, use a screen recorder like Fraps or Hypercam or one of the thousand others.

[P_Shep]

It's not all bad, You made the BBC news, bitbully!

http://www.bbc.co.uk/news/technology-22120833

Oh, wait... :/

[Stephen Gornick]

They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this.

Incidentally, they do have a method that is secure against this ... Yubikey, and Google Authenticator.

Happens a lot:

MtGox account got cleared out
 - http://bitcointalk.org/index.php?topic=85533.0

All BTC disappeared from my Mt. Gox account
 - http://bitcointalk.org/index.php?topic=88368.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another: My mtgox account got compromised, what can I do?
 - http://bitcointalk.org/index.php?topic=84585.0

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
 - http://bitcointalk.org/index.php?topic=89142.0

And more again: Bitcoins stolen from MtGox
 - http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
 - http://bitcointalk.org/index.php?topic=119816.0

Or more here: Email from Mt.Gox this morning.
 - http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
 - http://bitcointalk.org/index.php?topic=93074.0

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
 - http://bitcointalk.org/index.php?topic=94140.0

And even more: *MY* Mt Gox Account was Hacked - lost it all today... now what!?
 - http://bitcointalk.org/index.php?topic=137795.0

Ditto: My MtGox account was just exploited - 3 BTC stolen
 - http://bitcointalk.org/index.php?topic=141816.0

Ditto on the ditto: Just lost 190 bitcoins through Mt. Gox
 - http://bitcointalk.org/index.php?topic=141831.0

And other ones get added to the list: Unauthorized withdrawal on Mt. Gox
 - http://bitcointalk.org/index.php?topic=147070.0

And now this: How I got robbed of 34 btc on Mt.Gox today
 - http://bitcointalk.org/index.php?topic=173227.0

And another recent one: My funds and BTC have just disappeared from my Gox account!
 - http://bitcointalk.org/index.php?topic=174556

And on other services as well. Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

And elsewhere, BitMarket.eu in this instance:
 - http://bitcointalk.org/index.php?topic=5441.msg1259168#msg1259168

And on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
 - http://bitcointalk.org/index.php?topic=130264.0


In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
 - http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Also, here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - http://bitcointalk.org/index.php?topic=111943.0

[juice]

guys they did it again !
but gox hushed the pw right with salt so strong pw are safe but if you typed in flipper or some shit
change it now!

[zenid]

"In order to see Chatbox or to communicate with us. Please Update java at the top of the page.

- If the Download did not worked, Click Here"

Is this verbatim? The "If the Download did not worked" maybe should have set off alarm bells...
Horrible story though, really sad for the guy.

I'm thinking of doing a Ubuntu boot purely to run a browser in for trading. People are right to warn about Windows, - it's much harder to defend against malware...

[2weiX]

three words:

YU BI KEY

[zenid]

Are there any utilities that can continuously record the screen of my computer, so that I can go back in history and observe exactly what I saw in the past?

I use Debut Video capture. It will record a sizeable rectangle of screen to .avi or other video format.

[Herodes]

Yes, it's more secure with 2 factor auth, but my personal experience has been more hassle than it's worth [...]

I believe I have the client side secured more than enough.

So at 10:06pm ET on April 10th 2013 I was on btc-e reading the chat box. Then and there someone posted a link to www mtgox-chat info [...]

I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.

[...]

Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.

------------------------------------------------------------
Dear bitbull,
 
There has been a withdrawal from your Mt.Gox account:
 
[...]

Just take it as a lessson learned, and don't get defensive. You screwed up, and paid for it. I'm sorry about your losses.

[muyuu]

You guys should check you don't appear in any of these lists:

http://pastebin.com/search?cx=partner-pub-4339714761096906%3A1qhz41g8k4m&cof=FORID%3A10&ie=UTF-8&q=Compromised+MTGox+account+info&sa.x=0&sa.y=0&sa=Search

[legendster]

When I grow up I wanna be a haccker JUST like these guys, and I wanna rip off guys like you just CLICK and FORGET!

In spite of being a techie how the hell could you be so irresponsible ! EVEN 34 BTC at a time like this can cause some damage... No wonder the SLL/BTC prices plummeted today !

[MPOE-PR]

So at 10:06pm ET on April 10th 2013 I was on btc-e reading the chat box. Then and there someone posted a link to www mtgox-chat info (do not open unless you know what you are doing) claiming a video announcement that mtgox was going to start trading litecoins.

I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.



Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.

------------------------------------------------------------
Dear bitbull,
 
There has been a withdrawal from your Mt.Gox account:
 
Transaction reference: 97235bfd-9909-4020-9f06-e9d318c1ef7f
 
Date: 2013-04-11 02:06:22 GMT
 
IP: 198.203.29.120

You can access your account history for more details.

Please contact us as soon as possible by replying to this email if you did not request this withdrawal.

Thanks,

The Mt.Gox Team
------------------------------------------------------------

I immediately responded back to them, but what I discovered is that the withdrawal had been instantly processed and already confirmed in the blockchain:

https://blockchain.info/tx/bb30f2f110ba5b7bb60812bc3d7744f5086f6b4a38439566f1888a8d26e1fbec



which left less than a third of a bitcoin in my account. I then realized that this withdrawal happened at the EXACT time i accessed the mtgox-chat website based on my browser history. I then realized that I only received my notification email from them much after the fact apparently because their servers are overloaded and not functioning correctly.

Being a techie, I started researching. I found out that this site is hosted here in the USA. I also found out that the withdrawal was submitted from an IP in Los Angeles even though I have been accessing mtgox from Pennsylvania / New York. I then discovered that the site is a teleport pro rip of bitcoincharts.com branded with a mtgox logo, and was registered on namecheap (with bitcoins as it may be) not even 5 days ago! This is the IP resolve of the domain name.



I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started. It also contains an additional keylogger payload, all customized specifically for mtgox. They even "offer" an easy to use file download link for those whose browsers are not running java. This script INSTANTANEOUSLY initiated a mtgox withdrawal of nearly all my btc (34btc) in the background (I was logged into mtgox on that browser, seemed to be using some form of proxy to access my browser cookie cache it would seem) and then changed the account password so I couldn't login anymore. This was proven to be 100% automatic as the withdrawal occurred the same exact minute I accessed that website for the first time.

It then continued to gather all my computer passwords and logged everything I was doing including my blockchain account (as I eventually located the log files) and then sent it to the hackers / script kiddies.  Luckily I have dual password protection on my blockchain wallet otherwise all my other bitcoins would be gone too. I wouldn't just call them just script kiddies because this script was very specific and well written for the mtgox website.  I had two antiviruses running and neither caught it. Only later malwarebytes picked it up as a well encoded trojan payload executable.



Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...

This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!

Any advice is very much appreciated.

This is just further proof that the website "logged in" model is not workable for this application. Using a site build on a fundamentally broken paradigm will unavoidably yield this sort of result.

[jl2012]

You are not a noob. Obviously you know what 2-factor authorization is and you are lazy enough not to use it. How could you blame MtGox and even ask for any compensation?

So at 10:06pm ET on April 10th 2013 I was on btc-e reading the chat box. Then and there someone posted a link to www mtgox-chat info (do not open unless you know what you are doing) claiming a video announcement that mtgox was going to start trading litecoins.

I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.



Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.

------------------------------------------------------------
Dear bitbull,
 
There has been a withdrawal from your Mt.Gox account:
 
Transaction reference: 97235bfd-9909-4020-9f06-e9d318c1ef7f
 
Date: 2013-04-11 02:06:22 GMT
 
IP: 198.203.29.120

You can access your account history for more details.

Please contact us as soon as possible by replying to this email if you did not request this withdrawal.

Thanks,

The Mt.Gox Team
------------------------------------------------------------

I immediately responded back to them, but what I discovered is that the withdrawal had been instantly processed and already confirmed in the blockchain:

https://blockchain.info/tx/bb30f2f110ba5b7bb60812bc3d7744f5086f6b4a38439566f1888a8d26e1fbec



which left less than a third of a bitcoin in my account. I then realized that this withdrawal happened at the EXACT time i accessed the mtgox-chat website based on my browser history. I then realized that I only received my notification email from them much after the fact apparently because their servers are overloaded and not functioning correctly.

Being a techie, I started researching. I found out that this site is hosted here in the USA. I also found out that the withdrawal was submitted from an IP in Los Angeles even though I have been accessing mtgox from Pennsylvania / New York. I then discovered that the site is a teleport pro rip of bitcoincharts.com branded with a mtgox logo, and was registered on namecheap (with bitcoins as it may be) not even 5 days ago! This is the IP resolve of the domain name.



I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started. It also contains an additional keylogger payload, all customized specifically for mtgox. They even "offer" an easy to use file download link for those whose browsers are not running java. This script INSTANTANEOUSLY initiated a mtgox withdrawal of nearly all my btc (34btc) in the background (I was logged into mtgox on that browser, seemed to be using some form of proxy to access my browser cookie cache it would seem) and then changed the account password so I couldn't login anymore. This was proven to be 100% automatic as the withdrawal occurred the same exact minute I accessed that website for the first time.

It then continued to gather all my computer passwords and logged everything I was doing including my blockchain account (as I eventually located the log files) and then sent it to the hackers / script kiddies.  Luckily I have dual password protection on my blockchain wallet otherwise all my other bitcoins would be gone too. I wouldn't just call them just script kiddies because this script was very specific and well written for the mtgox website.  I had two antiviruses running and neither caught it. Only later malwarebytes picked it up as a well encoded trojan payload executable.



Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...

This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!

Any advice is very much appreciated.

[darkmule]

You are not a noob. Obviously you know what 2-factor authorization is and you are lazy enough not to use it. How could you blame MtGox and even ask for any compensation?

Conceivably, an exploit like this could lie in wait until you use two-factor and then hijack your existing session to do whatever.  While the OP did, IMO, screw up, Gox has some responsibility to monitor their own computers.