Urgent Beware - My Blockchain.info account was drained!

[favdesu]

phishing and/or compromised pc. 100%

Maybe a site from bitvisitor?

How much did you lose?

[AAleron]

what was your blockchain's bitcoin address?

The one that was robbed was : 1Cqfi7gKrbGgQuWNpGrziDzmaNoY2cGGjV

So I opened a new one (in last post) , even though I changed the password and locked the IP address I don't trust using the old one now.

phishing and/or compromised pc. 100%

Maybe a site from bitvisitor?

How much did you lose?

I installed bitdefender and did a deep scan, no trace of anything. Windows defender didn't pick anything up either. The IP address I listed above came from my Blockchain log file.

Today 10:31:19   viewed login page   202.60.90.137   Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0

(might be an anon ip of course)

It stood out, as coming from Australia with a different IP address to mine obviously and they viewed my login page at the same time I was logged in to the wallet.

Yes it may be bitvisitor site, some don't load with just a blank screen.

I'm embarrassed to say how much I lost, its not like it was a fortune, luckily, but they were hard earned bitcoin. 1.4 bitcoin got wiped to zero.

The thing that bugs me is, imagine if you had 100 or 1000 bitcoin, you're just as vulnerable as my little pile, I've never had anything stolen from my bank online. This is the first time I've ever been attacked and I'm not a dummy when it comes to computers or guarding my security online. It's very worrying. I'm going to take  escrow.ms advice and go the paper route from now on.

[favdesu]

1.4 is still a good amount... sorry for your loss.

I'd say inputs.io has a better security, maybe you could check it out. I'm using both services btw

[AAleron]

1.4 is still a good amount... sorry for your loss.

I'd say inputs.io has a better security, maybe you could check it out. I'm using both services btw Smiley

Thanks, yeh its enough to hurt. I will check out inputs.io

for anyone who's interested the Wallet that took my money was 1MfSeNc7p1cA28e9w7FE48qLJUfQT986MX

IP address 202.60.90.137 traces to

person:         Jon Eaves
nic-hdl:        JE11-AP
e-mail:         noc@dedicatedservers.net.au
address:        Ground Floor
address:        14 Finchley Street
address:        Milton QLD 4064
phone:          +61-7-3412-9582
fax-no:         +61-7-3018-0422
country:        AU
changed:        noc@dedicatedservers.net.au 20090211
notify:         noc@dedicatedservers.net.au
mnt-by:         MAINT-AU-DEDICATEDSERVERS
source:         APNIC

[OnkelPaul]

IP address 202.60.90.137 traces to
...

Sounds like a hosting facility. Very likely the IP address belongs to a server which has been hacked itself (some outdated CMS software is most often the culprit). If you're very lucky they would be able to provide you with log data for the hacking incident, but since you're not their customer, they will most likely not go through the trouble to do all the forensic work and find out who hacked the server.

Onkel Paul

[escrow.ms]

1.4 is still a good amount... sorry for your loss.

I'd say inputs.io has a better security, maybe you could check it out. I'm using both services btw Smiley

Thanks, yeh its enough to hurt. I will check out inputs.io

for anyone who's interested the Wallet that took my money was <a href="http://blockchain.info/address/1MfSeNc7p1cA28e9w7FE48qLJUfQT986MX">1MfSeNc7p1cA28e9w7FE48qLJUfQT986MX</a>

I can only see a 0.2 BTC transactiion from your wallet to this one.


http://blockchain.info/tx/a7676c33ef493e08fc87346569718015fc6063d064f19a977c7aa70de1462dc0

[AAleron]

oh shit, that was the wrong one, it was 0.2277 something that went, my mistake

I looked at the total amount deposited, not the actual transaction

[J35st3r]

oh shit, that was the wrong one, it was 0.2277 something that went, my mistake

0.21776556 BTC according to http://blockchain.info/address/1Cqfi7gKrbGgQuWNpGrziDzmaNoY2cGGjV

The other spend transactions were way back in July (scroll down looking for the red tags). Did you lose anything from any of your other addresses?

[AAleron]

Did you lose anything from any of your other addresses?

Checking now.

When I logged back in everything was set to 0, so I assumed it was 1.4 or close to it.

escrow.ms explained that was because I removed Blockchain from the network listing.

[AAleron]

no every thing else seems to be ok, I lost 0.221776556, not 1.4 (that was wrong too it was 1.03 total deposits), that's a relief, but still gone while I watched. I also had a deposit from bitvisitor. It's been a bad day, sorry...

[DannyHamilton]

no every thing else seems to be ok, I lost 0.221776556, not 1.4 (that was wrong too it was 1.03 total deposits), that's a relief, but still gone while I watched. I also had a deposit from bitvisitor. It's been a bad day, sorry...

You really need to pay attention to what you are doing and what you are typing.  You can't even seem to keep straight how much you lost.

You didn't know how much bitcoin you had, you didn't know how much was taken, you wrote 1.4 when you meant to write 1.03, and then you wrote 0.221776556 when you meant to write 0.21776556.

It won't surprise me if you used your password somewhere insecure, or installed some trojan software that you acquired for free somewhere (well written trojan software won't show up in a virus scan no matter what scanning software you are using).

It really isn't possible for anyone to steal your bitcoins unless they have your password.  Therefore, the question is "How did the hacker get your password?"

[AAleron]

Yes you are correct. In my defense, for me it was around 2 am in the morning at the time I wrote that post and I was nearly brain dead anyway. It was a bad day.

You put it all down to a trojan and my password being abused, Of course, it was my laptop and in the end it must be my fault somehow, I agree. 

You also don't seem to take the point that the only fraudulent transaction took place under my nose while I was logged in.. ie at the same time. from an IP address on the other side of the world. logged and recorded. There have not been any other attacks, just one, at exactly the same time as I was logged in. I'm sorry I didn't lose more than 0.21 I got my numbers wrong because I was very tired.

Now, despite two deep scans from two up to date virus checkers I can find no trojans or worms or other keyloggers, the only password I used when it happened was the one for that wallet. So yes, it is most likely my fault somehow, but How? Exactly? Until I can find some help on that, I can't trust using my blockchain wallet from that laptop. As escrow.mi said, my best option is using a paper wallet until this issue is resolved. If it is so easy to strip an account, my personal trust in the system is shot and I would hate to have 10 or 100 bitcoins or even only 0.21 in any online wallet until I know I can trust it again. It's a significant security problem. sorry to have upset you. Thanks for your help. 


 

[DannyHamilton]

It was a bad day.

Clearly.

You put it all down to a trojan and my password being abused,

Not necessarily a trojan, just pointing out that a trojan won't necessarily show up in a virus scan, so the fact that "two deep scans from to up to date virus checkers" come up clean doesn't mean that there isn't a trojan installed.

Of course, it was my laptop and in the end it must be my fault somehow, I agree.  

It's never right to blame the victim.  I wouldn't say "it must be your fault somehow", but it is good to understand what the possible attack vectors are so effort isn't wasted on things that aren't a threat and so that yourself and others can better protect themselves in the future.

You also don't seem to take the point that the only fraudulent transaction took place under my nose while I was logged in.. ie at the same time. from an IP address on the other side of the world. logged and recorded. There have not been any other attacks, just one, at exactly the same time as I was logged in.

I am aware of that, and the timing is certainly suspect.  It is possible that the trojan waited for you to log in and type your password to capture it.  It is also possible that someone hacked their way into a remote desktop connection.  I suppose it's also possible that the timing was a coincidence.  Without more information about how the thief got your password, it is difficult to say why it happened while you were logged in.

How? Exactly? Until I can find some help on that, I can't trust using my blockchain wallet from that laptop. As escrow.mi said, my best option is using a paper wallet until this issue is resolved.

Agreed.  I'm very curious about how the thief got your password.  If you ever figure it out, please come back and let us know.  Such information will make it easier to inform others about how to protect themselves.

sorry to have upset you. Thanks for your help.  

Upset me?  You've got to try a whole lot harder than that to upset me.  Even those who are putting all their effort into upsetting me rarely succeed.

[AAleron]

Yes, the timing is very significant and suggests remote desktop access. The password I used has never been written down anywhere, its not in any user text file or doc. So keylogging or remote access seem to be the most plausible.

Also, I checked my Remote Assistance settings in system properties. They were mysteriously set to true. I know I had set them to false again when I upgraded to win8 several months ago (for some reason, annoyingly, the update had set them to true)

Update: I contacted the Australian server company for the suspect IP Address. So far, they have been very helpful and are looking to identify the user from their logs and time stamp etc...

I will post more when I know more.

Thanks again for your help. 

[DannyHamilton]

Yes, the timing is very significant and suggests remote desktop access. The password I used has never been written down anywhere, its not in any user text file or doc. So keylogging or remote access seem to be the most plausible.

Also, I checked my Remote Assistance settings in system properties. They were mysteriously set to true. I know I had set them to false again when I upgraded to win8 several months ago (for some reason, annoyingly, the update had set them to true)

Update: I contacted the Australian server company for the suspect IP Address. So far, they have been very helpful and are looking to identify the user from their logs and time stamp etc...

I will post more when I know more.

Thanks again for your help. 

I'm curious, where did you get the IP address?

[AAleron]

From the user log file in Blockchain.info wallet account settings. I posted it above.

[AAleron]

No feedback to report

all I can tell you is be very careful. There are many people trying to break in to your wallets and you will get no help. Be very very careful, change your password regularly, never write it down and keep wallet backups.

[J35st3r]

No feedback to report

all I can tell you is be very careful. There are many people trying to break in to your wallets and you will get no help. Be very very careful, change your password regularly, never write it down and keep wallet backups.

I beg to disagree with this. Choose a strong password, do write it down and store it in your safe/bury it in your garden/wherever. You are far more at risk of forgetting a strong password than someone guessing it (and if its a weak password, changing it every Tuesday is not going to help at all). But yes, backup your wallet, everywhere. If the password is strong enough then its safe even if some cracker gets his hands on it. And if you're paranoid use cold storage (paper wallets), and keep multiple copies of them too.

[stormlighter]

Keep password security in mind:

[J35st3r]

XKCD is always a good read, but BEWARE brain wallets. They are not a panacea, you have to know how to create strong passphrase. Take a look at this thread https://bitcointalk.org/index.php?topic=251037.0