Used a bot, easy password, etc for Just-Dice use Google Authentic! Compromised~!

[monbux]

What bot did you use, who was this user, and how did he scam you?
Was the bot set up to cash out the bitcoins to the scammer?

[1715004270]

1715004270

[1715004270]

1715004270

[1715004270]

1715004270

[culexevilman]

If you paid for this bot, then really theres nothin to say, greed kills all...

http://dalanmao.net/

[dooglus]

- use different login/pass for each sites,

That seems to be the one that would have worked in this instance.

Someone had a list of usernames and passwords from a different site and tried them on Just-Dice.

Most of the usernames they tried didn't even exist on Just-Dice, but some did, and some of those use the same password as on the hacked site.

Some of those ones with the same username and password also had 2FA disabled, or had it enabled, but not required to withdraw.

Those are the people who lost coins.

The lesson here is twofold:

1) don't reuse passwords

2) do use 2FA when available

I'm sorry for people's losses.  It's an expensive way to learn about password security.  

Incidentally, I would be very interested to learn which site the list of usernames and passwords was hacked from.  If your account was compromised and you only used the same account details on a few other sites, please list those other sites here so we can see if a pattern emerges.

I've checked the logs.  It appears that the amounts stolen were (in size order):

0.00018560, 0.00069031, 0.00930999, 0.00990000, 0.01006117, 0.01137880, 0.01773303, 0.02915000, 0.04515912, 0.04542498, 0.04976687, 0.08471695, 0.60705816, 0.88197790, 3.87314367, 60.07364941

Total: 65.74930596 BTC.  The stolen coins were sent to 1GtAri6QDusZVFPtCBufA7ti6R34BxRwBB (14 transactions) and 1sCaMzrzY6sCaRMUY9WjM35QnwHYLyBEd (2 transactions).

If anyone would like to donate to make the victims whole, I set up address 1GbDrpVNGxC8CxfZrYMPVPZ2KNwvcXEHT7 for donations.  Anything sent there will go to the 16 who lost funds.

[aksplace]

- use different login/pass for each sites,

That seems to be the one that would have worked in this instance.

Someone had a list of usernames and passwords from a different site and tried them on Just-Dice.

Most of the usernames they tried didn't even exist on Just-Dice, but some did, and some of those use the same password as on the hacked site.

Some of those ones with the same username and password also had 2FA disabled, or had it enabled, but not required to withdraw.

Those are the people who lost coins.

The lesson here is twofold:

1) don't reuse passwords

2) do use 2FA when available

I'm sorry for people's losses.  It's an expensive way to learn about password security.  

Incidentally, I would be very interested to learn which site the list of usernames and passwords was hacked from.  If your account was compromised and you only used the same account details on a few other sites, please list those other sites here so we can see if a pattern emerges.

I've checked the logs.  It appears that the amounts stolen were (in size order):

0.00018560, 0.00069031, 0.00930999, 0.00990000, 0.01006117, 0.01137880, 0.01773303, 0.02915000, 0.04515912, 0.04542498, 0.04976687, 0.08471695, 0.60705816, 0.88197790, 3.87314367, 60.07364941

Total: 65.74930596 BTC.  The stolen coins were sent to 1GtAri6QDusZVFPtCBufA7ti6R34BxRwBB (14 transactions) and 1sCaMzrzY6sCaRMUY9WjM35QnwHYLyBEd (2 transactions).

If anyone would like to donate to make the victims whole, I set up address 1GbDrpVNGxC8CxfZrYMPVPZ2KNwvcXEHT7 for donations.  Anything sent there will go to the 16 who lost funds.

Good Idea and with some reasonable problem solving we can probably find the source of this.  

Did Casinobit recently "find" some bitcoins? if I recall some of the investors was recently paid "need source". So I guess we need to ask other victims, what bitcoin gambling companies have you joined and eliminate one by one?

[dooglus]

I would be very interested to learn which site the list of usernames and passwords was hacked from.  If your account was compromised and you only used the same account details on a few other sites, please list those other sites here so we can see if a pattern emerges.

I PM'ed one user who I saw had been compromised by the attacker.  He replied:

BTC-sites I can think of that have the same pw (though not necessarily the same login-name) are Bitcointalk, BTCT, Havelock and Bitfunder.

So there's datapoint 1.

Anyone else?

You may be wondering "was my account compromised?"  Well, here's a list of compromised userids:

   983
  2018
  2436
  2828
  3095
  3258
  3481
  4259
  6700
  8509
  8606
  8660
  8815
  9825
  9895
 10167
 11303
 12326
 12732
 34054
 34490
 36411
 38924
 43386
 44554
 46462
 48038
 48131
 48640
 48781
 56101
 57228
 58436
 61376
 64827
 67755
 69701
 69908
 70295
 71528
 74347
 78524
 79308
 79539
 80125
 83971
 84543
 84943
 94532
 98378
103149
103388
105449
107711
112714
115375
116667
119688
120272
121724
122727
127888
134617
135093
136202
148465
157053
157854
181501
182131

If one of these is yours, please tell me where else you used your JD password.

[SpaceJelly]

Two words...

Password Manager

Personally I use lastpass.com and have used roboform in the past but there are many more out there. You just need to remember one very secure master password then the rest you let the PW Manager handle it for you.

I have no idea what my password is for just-dice, or this forum without looking at my password vault! None are the same, all unique, and all very long with letters, numbers and symbols in them.

[dooglus]

Two words...

Password Manager

I condone this message.

[dooglus]

I've checked the logs.  It appears that the amounts stolen were (in size order):

0.00018560, 0.00069031, 0.00930999, 0.00990000, 0.01006117, 0.01137880, 0.01773303, 0.02915000, 0.04515912, 0.04542498, 0.04976687, 0.08471695, 0.60705816, 0.88197790, 3.87314367, 60.07364941

If anyone would like to donate to make the victims whole, I set up address 1GbDrpVNGxC8CxfZrYMPVPZ2KNwvcXEHT7 for donations.  Anything sent there will go to the 16 who lost funds.

Thanks for all the donations.  A total of 2.40995525 BTC was received so far (not including the guy who paid one of the victims back in full privately).  That's enough to pay all but the biggest three back in full.  If I give the biggest 3 the same as the 4th, then it totals 2.696 BTC.  I'll make up the difference:

0.00018560 0.00069031 0.00930999 0.00990000 0.01006117 0.01137880 0.01773303 0.02915000 [0.04515912] 0.04542498 0.04976687 0.08471695 0.60705816 0.60705816 0.60705816 0.60705816

I will refund the victims as soon as they reclaim their accounts and enable 2FA.  I don't want the attacker withdrawing the refunds too!

[wasserman99]

so just to confirm -- this is just because people recycled usernames and passwords right?

[Redcoin]

Seems the sites fault...  the site should of had a type of 2 factor authentication on the withdraw system compulsary. like enter an emailed pin or what ever.  And a system that blocks users who login mulitiple wrong accounts, and also alerts the site admins something dodgie is going on.

Until thats implemented it will keep happening.

[dooglus]

so just to confirm -- this is just because people recycled usernames and passwords right?

I can't be sure.  It's possible that some of the usernames and passwords were collected using a keylogger on compromised users' computers.

Someone claiming to be the hacker was in the JD chat talking about their "java driveby", which I imagine is some kind of exploit.  Disable the java plugin in your browser if you have it installed.

[dooglus]

Seems the sites fault...  the site should of had a type of 2 factor authentication on the withdraw system compulsary. like enter an emailed pin or what ever.  And a system that blocks users who login mulitiple wrong accounts, and also alerts the site admins something dodgie is going on.

I know you're new to Bitcoin gaming, but requiring users to register an email address typically doesn't fly.

[galbros]

Dooglus said it best on the other JD thread:

Because casual players want as few barriers between them and the dice as possible.  They want to deposit, play, maybe withdraw winnings, and forget about the account.  Account registration and 2FA is boring.

For people intending to leave coins on their accounts though, it's clearly a good idea to use 2FA.

In short, this is not JD's fault.

I also appreciate how open you've been about which accounts the hacker tried to access.

[dooglus]

I also appreciate how open you've been about which accounts the hacker tried to access.

Oh, in case I wasn't clear, those are accounts the hacker DID access.  Most of them either had no funds or were protected by 2FA.  'Only' 16 of them had funds that the hacker was able to withdraw.

[b!z]

so just to confirm -- this is just because people recycled usernames and passwords right?

I can't be sure.  It's possible that some of the usernames and passwords were collected using a keylogger on compromised users' computers.

Someone claiming to be the hacker was in the JD chat talking about their "java driveby", which I imagine is some kind of exploit.  Disable the java plugin in your browser if you have it installed.

This is what a java driveby looks like: http://www.xylibox.com/2012/07/sparkyjava.html

It will only be able to download and run malware if you allow it, which doesn't really make it an "exploit".

[KgBC]

Well maybe I'll get some pledges this time for making a bot that won't steal anyones cash... Any interest in this?

There are already open-source bots available.

Could you provide us a list of "known bots" for the website Rannasha? Also we are currently looking for a seasoned veteran coder to review such bots to insure safety and security for players.

Here is mine, support included
https://github.com/KgBC/just-dice-bot

Is running as python cli application, which I consider as much more stable than running in a browser window (especially thru tor).
Always download it from the original source above, so noone could compromise code.
Have Fun gambling

[01BTC10]

- use different login/pass for each sites,

That seems to be the one that would have worked in this instance.

Someone had a list of usernames and passwords from a different site and tried them on Just-Dice.

Most of the usernames they tried didn't even exist on Just-Dice, but some did, and some of those use the same password as on the hacked site.

Some of those ones with the same username and password also had 2FA disabled, or had it enabled, but not required to withdraw.

Those are the people who lost coins.

The lesson here is twofold:

1) don't reuse passwords

2) do use 2FA when available

I'm sorry for people's losses.  It's an expensive way to learn about password security.  

Incidentally, I would be very interested to learn which site the list of usernames and passwords was hacked from.  If your account was compromised and you only used the same account details on a few other sites, please list those other sites here so we can see if a pattern emerges.

I've checked the logs.  It appears that the amounts stolen were (in size order):

0.00018560, 0.00069031, 0.00930999, 0.00990000, 0.01006117, 0.01137880, 0.01773303, 0.02915000, 0.04515912, 0.04542498, 0.04976687, 0.08471695, 0.60705816, 0.88197790, 3.87314367, 60.07364941

Total: 65.74930596 BTC.  The stolen coins were sent to 1GtAri6QDusZVFPtCBufA7ti6R34BxRwBB (14 transactions) and 1sCaMzrzY6sCaRMUY9WjM35QnwHYLyBEd (2 transactions).

If anyone would like to donate to make the victims whole, I set up address 1GbDrpVNGxC8CxfZrYMPVPZ2KNwvcXEHT7 for donations.  Anything sent there will go to the 16 who lost funds.

Good Idea and with some reasonable problem solving we can probably find the source of this.  

Did Casinobit recently "find" some bitcoins? if I recall some of the investors was recently paid "need source". So I guess we need to ask other victims, what bitcoin gambling companies have you joined and eliminate one by one?

Did not read that anyone got reimbursed. Anyway, his website use an URL as login so he can't have collected any user/pass.

[aksplace]

Well maybe I'll get some pledges this time for making a bot that won't steal anyones cash... Any interest in this?

There are already open-source bots available.

Could you provide us a list of "known bots" for the website Rannasha? Also we are currently looking for a seasoned veteran coder to review such bots to insure safety and security for players.

Here is mine, support included
https://github.com/KgBC/just-dice-bot

Is running as python cli application, which I consider as much more stable than running in a browser window (especially thru tor).
Always download it from the original source above, so noone could compromise code.
Have Fun gambling

Thanks will be coming with article soon, Douglas thanks for the hard work on analyzing actions from the perpetrator hopefully we have more info on this later on. Clearly they used an anonymous program but I show a potential IP out of London that might have been responsible. 

[dooglus]

Did not read that anyone got reimbursed. Anyway, his website use an URL as login so he can't have collected any user/pass.

I have only reimbursed 3 of the 16 accounts that lost funds so far.  I have blocked access to the others, and am waiting for their owners to contact me and demonstrate that they have secured their accounts before refunding them.

I expect most of them were old forgotten accounts with what their owners considered 'dust' in them.

JD uses URLs as a login until you set up and username and password.  Once you've done that, the URL no longer works.

[01BTC10]

Did not read that anyone got reimbursed. Anyway, his website use an URL as login so he can't have collected any user/pass.

I have only reimbursed 3 of the 16 accounts that lost funds so far.  I have blocked access to the others, and am waiting for their owners to contact me and demonstrate that they have secured their accounts before refunding them.

I expect most of them were old forgotten accounts with what their owners considered 'dust' in them.

JD uses URLs as a login until you set up and username and password.  Once you've done that, the URL no longer works.

He was talking about Casinobit  

Did Casinobit recently "find" some bitcoins? if I recall some of the investors was recently paid "need source". So I guess we need to ask other victims, what bitcoin gambling companies have you joined and eliminate one by one?