juniper (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 04:45:34 PM Last edit: April 22, 2013, 11:54:31 AM by juniper |
|
New to BTC but I know what I'm doing. Bought some play BTC at VirWox. Just the other day got an e-mail confirmation that the account was drained to an address that I don't recognize (edit: not technically gambling my money away...yet). Unusual is that I am using a very strong password (random letters and numbers). Have just sent note to VirWox about this. Have examined my computer, no infection. Not sure how they got my password. Has anyone else had experience with VirWox about this sort of thing? Take care, as their security may have been breached.EDIT: Read to bottom. Not VirWox. My computer was compromised. Will post more details here when I've sorted it out. Appears related to this: https://bitcointalk.org/index.php?topic=180746.0. tl;dr: I broke my cardinal rule. I allowed JAVA to run in my browser.
|
|
|
|
syebotext
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 21, 2013, 05:11:16 PM |
|
Thanks for the headsup. I was thinking about transferring some of my funds there to get them out by Paypal but now I will not do that.
|
|
|
|
juniper (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 05:14:35 PM |
|
I will keep this forum posted with any response I hear from them.
|
|
|
|
Moebius327
|
|
April 21, 2013, 08:02:02 PM |
|
Is there any update on that? I am considering buying Linden with PP and exchanging to BTC.
|
|
|
|
hitman_8787
Newbie
Offline
Activity: 58
Merit: 0
|
|
April 21, 2013, 08:05:59 PM |
|
interested in this too.
|
|
|
|
blue42
Newbie
Offline
Activity: 12
Merit: 0
|
|
April 21, 2013, 08:29:17 PM |
|
Be sure to use two-factor authentication on all your bitcoin services.
|
|
|
|
juniper (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 09:25:00 PM |
|
I'm still here. VirWox got back to me. Someone from a 63.* (US address, which I may post in full here later) hit my account, logged in on the first try, no failed attempts, and moved the money. They then showed up once more 10 hours later to see the transfer still in progress. I've been told I may be compromised. Now, I appreciate this may be true, and I continue to scan. However, I've run virus and malware scans, and they've turned up nothing. This computer was just bought about 6 months ago and is relatively fresh. I'm reasonably safe about things and don't install stupid software.
The reality is that I made this account about a week and a half ago. I threw small amount of money in at the time. I then threw a little bit more. I was debating where to move the BTC to when, four days after my last deposit, the thief hit my account dead on, first try, and moved the money. On a 12 character random password with letters and numbers that's pretty amazing. But if I were compromised, how did they manage to track me so closely that the very first time I put money into BTC (and not that much) they strike? Why not wait until I put more? And how did they know right now?
Things still don't add up for me.
Yeah 2-factor is great. If this hadn't have been a play account, sure, absolutely use 2-factor. But that also doesn't solve the mystery of the spectacular coincidences above.
|
|
|
|
zinner27
Newbie
Offline
Activity: 34
Merit: 0
|
|
April 21, 2013, 09:29:12 PM |
|
Are you using Wifi router? Do you live alone or have somebody at your place who could use ur computer?
Hard to say about keylogers etc many of which are not detectable...
|
|
|
|
juniper (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 09:33:09 PM |
|
Are you using Wifi router? Do you live alone or have somebody at your place who could use ur computer?
Hard to say about keylogers etc many of which are not detectable...
WiFi locked with WPA2-PKIP, strong password of about 24 characters, and the router MAC address locked to the five or six wireless devices that use it. I thought of that and checked it. Mystery goes on. Spybot clear. On to MBAM.
|
|
|
|
hitman_8787
Newbie
Offline
Activity: 58
Merit: 0
|
|
April 21, 2013, 09:50:39 PM |
|
Maybe a "friend" of yours who has access at your computer and knew you've deposited money?
|
|
|
|
juniper (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 09:54:46 PM |
|
Maybe a "friend" of yours who has access at your computer and knew you've deposited money?
No. I found it. MBAM detected trojan. Now to figure out how long it's been on my system. Still amazing they detected the deposit as shortly after I made it as they did. Will post details shortly, but the long and short is check /%user/appdata/roaming/windir/svchost.exe.
|
|
|
|
GerMG
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 21, 2013, 09:54:59 PM |
|
allways 2 factor
|
|
|
|
juniper (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 22, 2013, 11:57:30 AM |
|
For anyone who is interested, I landed on a page purporting to have some java on it. When nothing happened I simply left, but the java had already dropped a file on my system %USER%\AppData\Roaming\smss2.exe, that I believe retrieved further payload of a keylogger from a remote server. The keylogger ran as SVCHOST.EXE and lived in %USER%\AppData\Roaming\WinDir\svchost.exe and I believe dropped a log under \Roaming.
Avast missed it. Spybot missed it. MalwareBytes caught it.
Anyone who can decode: ufHIl_IOk please let me know. (There's more text but I don't want to post it here.) It's probably a ROT code.
|
|
|
|
juniper (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 27, 2013, 06:20:33 PM |
|
No dice on the text decoding anyone?
|
|
|
|
|