Bitcoin Forum
November 05, 2024, 08:30:48 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: PC hacked, QT robbed, MtGox account hacked on the same time- how?  (Read 2048 times)
grabber (OP)
Member
**
Offline Offline

Activity: 67
Merit: 10



View Profile
January 30, 2014, 02:26:46 AM
Last edit: January 30, 2014, 01:06:32 PM by grabber
 #1

Here is the story - you might able to help.

A friend of mine today he realised there's some strange things happens on his PC. Webcam starts, emails opens etc. Than he shutted down all the apps and later on some even more stranger things happened - Bitcoin QT asked for a new password. Like a normal user he changed his password - it seemed like the wallet itself asked for it - gave the old one and set up a new pass. (that was a huge mistake)

Later on, he received an email from MtGox that they are started to process his withdrawal - he doesnt even started one. The password was not stored on the pc, but there were a 2FA so we have no idea how they logged in. (we were thinking about with the RTBTC api code, but it seems like it wasnt able to do withdrawals) He also has 2 withdrawals from the mtgox account, we wrote to the support for the confirmation emails that he did NOT requested any payouts, hopefully it will be stopped by MtGox (almost 10 BTC) -

As he changed the password of the QT, it seemed like they simply recorded his password, and you can see here the transaction( https://blockchain.info/address/1CpiFiAtwr2TcF6X7TTRVzNUbkqnbVwKxJ ) 3.95 BTC is missing.

Now we took the PC offline and try to find out how was it made. It was a trojan for sure, but the exact method was something that we havent seen before. The owner is not an IT guy, but quite far from the noobs. So if you have any idea, any knowledge on that we'd be really happy if you share with us, it was quite an expensive experience on crypto currencies for him.

But the main question is still on: How to login to mtgox if you have the pass and dont have the device for 2FA. How login into a PC without any sign? (no known remote desktop apps were used) - The last part is quite easy, to dump a private key for a wallet if you know the key.

Any help appreciated! Of yourse, he stll has 2 unconfirmed withfrawals from Mtgox. If they dont aprove it, it will kind of save the day. (plenty tickets and emails submitted) Still dont know how it can happen, antivirus software firewall etc was on a well configured pc.

UPDATE 1: MTgox replied that they see a usual login and withdraw, o they dont do anything we should call the police. WTF? They send an email in case of withsrawals if that wasnt you... WE TOLD THEM IT WASN US! So they have to cancel the transaction. It still seems on Blockchain that the transaction wasnt started yet
suryokecu
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
January 30, 2014, 02:48:28 AM
 #2

It is very bad.... Almost 10 BTC ??

I am not an IT guy, so I can't help anything. Just feel sorry to hear this sad news. I do really hope MtGox could cancel those withdrawal.
Foxpup
Legendary
*
Offline Offline

Activity: 4531
Merit: 3183


Vile Vixen and Miss Bitcointalk 2021-2023


View Profile
January 30, 2014, 04:55:42 AM
 #3

How login into a PC without any sign?
Without any sign?
A friend of mine today he realised there's some strange things happens on his PC. Webcam starts, emails opens etc.
The webcam is a dead giveaway. The only reason your webcam will start is if a person want to record video of you. If that person is someone other than yourself, you should start freaking out at this point. The correct response is to pull the network cable, nuke the hard drive, and restore everything from backups.

(no known remote desktop apps were used)
Remote desktop apps generally work better (for the person using them) when you don't know they're there.

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
empoweoqwj
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
January 30, 2014, 06:16:31 AM
 #4

Cripes- that's a total PC takeover. Kind of scary how sophisticated malware is getting. Glad I don't run Windows
bitgeek
Sr. Member
****
Offline Offline

Activity: 462
Merit: 251



View Profile
January 31, 2014, 11:00:30 AM
 #5

Sorry to hear that. Check for unknown processes running in the background, your virus software should've prompted when a process tried to establish a connection.


███████████████████████████████
███████████████████████████████
████████████████████████████████
████████████████████████████████
██████████████████████████████████
██████████████████████████████████████████
█████████████████████████████████████████
███████████████████████████████████████
█████████████████████████████████████
█████████████████████████████████████
█████████████████████████████████████
███████████████████████████████████
█████████████████████████████████████
█████████████████████████████████████

.

.

.

Online.BTC.Bingo

.

.

.*500%.CASH.BACK.+.INSTANT.BONUS
..PROGRESSIVE.JACKPOT
..NO-DOWNLOAD.CLIENT
.

.

.

EPIC.FUN.
empoweoqwj
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
January 31, 2014, 12:18:25 PM
 #6

Sorry to hear that. Check for unknown processes running in the background, your virus software should've prompted when a process tried to establish a connection.

Once Windows has been taken over to that extent, you need to start again, right from the beginning, wipe the drive, clean install.
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1015



View Profile
January 31, 2014, 12:42:17 PM
 #7

Breaking 2FA is difficult to determine the cause of, and it's pretty rare. Is the phone rooted (assuming you use a phone)? What protects it from unauthorized access? Was it connected to the PC in the past few weeks? Is the phone connected on the same WiFi network as the PC? Is the WiFi connection protected with a strong password?

How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?

ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
EasyD
Newbie
*
Offline Offline

Activity: 62
Merit: 0


View Profile
January 31, 2014, 12:49:07 PM
 #8

This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.

When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
empoweoqwj
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
January 31, 2014, 12:49:51 PM
 #9

Breaking 2FA is difficult to determine the cause of, and it's pretty rare. Is the phone rooted (assuming you use a phone)? What protects it from unauthorized access? Was it connected to the PC in the past few weeks? Is the phone connected on the same WiFi network as the PC? Is the WiFi connection protected with a strong password?

How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?

ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?

Gox had 2FA last time I used Gox - which was when I got all my BTC out in December Smiley
empoweoqwj
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
January 31, 2014, 12:51:10 PM
 #10

This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.

When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.

I personally prefer never to use a PC, if by PC you mean Windows. 100x more malware / trojans on Windows systems than Linux, or even OSX for that matter.
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1015



View Profile
January 31, 2014, 01:16:06 PM
 #11

Breaking 2FA is difficult to determine the cause of, and it's pretty rare. Is the phone rooted (assuming you use a phone)? What protects it from unauthorized access? Was it connected to the PC in the past few weeks? Is the phone connected on the same WiFi network as the PC? Is the WiFi connection protected with a strong password?

How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?

ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?

Gox had 2FA last time I used Gox - which was when I got all my BTC out in December Smiley
Yubikeys are for 2FA, but a service generally only permits Yubikeys or OAuth (or short SMS codes, but those are a joke anymore). Compared to a phone, a Yubikey is much more secure in most cases, but I don't know for sure if Gox only does Yubikeys or both Yubikeys and OAuth. If only Yubikeys, this's something I've never heard of.
empoweoqwj
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
January 31, 2014, 01:18:33 PM
 #12

Breaking 2FA is difficult to determine the cause of, and it's pretty rare. Is the phone rooted (assuming you use a phone)? What protects it from unauthorized access? Was it connected to the PC in the past few weeks? Is the phone connected on the same WiFi network as the PC? Is the WiFi connection protected with a strong password?

How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?

ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?

Gox had 2FA last time I used Gox - which was when I got all my BTC out in December Smiley
Yubikeys are for 2FA, but a service generally only permits Yubikeys or OAuth (or short SMS codes, but those are a joke anymore). Compared to a phone, a Yubikey is much more secure in most cases, but I don't know for sure if Gox only does Yubikeys or both Yubikeys and OAuth. If only Yubikeys, this's something I've never heard of.

Gox does 2FA via OAuth as well as YubiKeys
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
January 31, 2014, 10:56:10 PM
 #13

I am not sure about mtgox 's security but 2factor authentication can be bypassed via session hijacking.

Ps: withdrawal can be done via api too probably or It's also possible that OP's friend left his pc open (while being  logged in on mtgox ) for some time and hacker took advantage of it.
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
January 31, 2014, 10:59:50 PM
 #14

Not so long ago 2factor authentication was bypassed by by same session hijacking  aka cookie stealing attack. http://iandunn.name/security-reward-for-new-google-authenticator-plugin/
EasyD
Newbie
*
Offline Offline

Activity: 62
Merit: 0


View Profile
February 01, 2014, 12:33:34 AM
 #15

This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.

When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.

I personally prefer never to use a PC, if by PC you mean Windows. 100x more malware / trojans on Windows systems than Linux, or even OSX for that matter.

Very good point.
empoweoqwj
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
February 01, 2014, 02:53:15 AM
 #16

I am not sure about mtgox 's security but 2factor authentication can be bypassed via session hijacking.

Ps: withdrawal can be done via api too probably or It's also possible that OP's friend left his pc open (while being  logged in on mtgox ) for some time and hacker took advantage of it.

Yep. Good point. Always log out of accounts after using them. Personally I run sites I know and trust in one browser (chrome) and anything "new" in Safari. Not sure if it helps against attacks but I feel safer Smiley
vm_mpn
Hero Member
*****
Offline Offline

Activity: 605
Merit: 500


View Profile
February 02, 2014, 07:59:14 PM
 #17

Almost seems like some sort of RDP or VNC type remote access...Could you ask Mt.Gox support if they can trace IP address matching that particular withdrawal transaction? I just wonder if IP address will match public IP of your friend's router or it's an external IP.
empoweoqwj
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
February 03, 2014, 03:33:17 AM
 #18

Almost seems like some sort of RDP or VNC type remote access...Could you ask Mt.Gox support if they can trace IP address matching that particular withdrawal transaction? I just wonder if IP address will match public IP of your friend's router or it's an external IP.

You've obviously not tried Gox support recently ... they don't even spend time doing normal stuff they should do, like processing withdrawals.
Sonny
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
February 03, 2014, 02:07:50 PM
 #19

Almost seems like some sort of RDP or VNC type remote access...Could you ask Mt.Gox support if they can trace IP address matching that particular withdrawal transaction? I just wonder if IP address will match public IP of your friend's router or it's an external IP.

You've obviously not tried Gox support recently ... they don't even spend time doing normal stuff they should do, like processing withdrawals.

USD withdrawal delays are considered normal in mtgox lol  Wink
Mivexil
Member
**
Offline Offline

Activity: 112
Merit: 10


View Profile
February 03, 2014, 05:33:00 PM
 #20

This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.

When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.

I personally prefer never to use a PC, if by PC you mean Windows. 100x more malware / trojans on Windows systems than Linux, or even OSX for that matter.

Very good point.

Standard issue malware won't steal your bitcoins, and a targeted attack (which seems to be the case here) is just as likely to happen on Windows as it is on Linux.

Besides, nothing can save someone who willingly runs malicious software on his computer, Linux, OSX, Windows or whatnot.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!