Bitcoin Forum
January 22, 2020, 05:49:44 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Someone hacked into our Blockchain.com wallet  (Read 502 times)
Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 994
Merit: 308



View Profile WWW
November 28, 2018, 09:31:32 PM
Merited by LoyceV (2)
 #1

Someone posted here a scam (Crypton-Exchange.net), one of our admins was naive to try it, and the site told him to install an addon in order to withdraw the funds, naively he installed it and now we realized someone withdrew $2,300 from our Blockchain.com account (money that we intended to use to pay publishers, sadly is gone now).

The money was sent to 16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S
https://www.blockchain.com/btc/tx/0fe187e55c07772d47d1c588c80195f5977aa139d814feb39bdab968253c8f60

The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org

Few questions:

1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?
2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.
3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?




💰 Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com --> Visit: http://www.get-paid.com 💰

🍀 Follow our Twitter account for our Faucets here --> Visit: https://twitter.com/cryptosfaucets 🍀
1579715384
Hero Member
*
Offline Offline

Posts: 1579715384

View Profile Personal Message (Offline)

Ignore
1579715384
Reply with quote  #2

1579715384
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1579715384
Hero Member
*
Offline Offline

Posts: 1579715384

View Profile Personal Message (Offline)

Ignore
1579715384
Reply with quote  #2

1579715384
Report to moderator
1579715384
Hero Member
*
Offline Offline

Posts: 1579715384

View Profile Personal Message (Offline)

Ignore
1579715384
Reply with quote  #2

1579715384
Report to moderator
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1624
Merit: 1442


https://bit.ly/387FXHi ← lightning theory


View Profile
November 28, 2018, 09:40:04 PM
Merited by dbshck (3)
 #2

1. Chrome addons allow access to a lot of things. I'm assuming it asks you by giving you a menu of permissions as to what the site is allowed to access. I think you should format chrome (if they use user profiles, just delete that and start afresh). Maybe be clever and don't give him access to your wallet if he can't browse the internet without damaging your companies reputation/finances.
2. I don't think chrome addons have access to anything but google chrome and stuff that's put on it (switching out chrome for a better browser such as firefox is also what I'd suggest Grin).



You ought to go here and log exactly what happened to them: https://chrome.google.com/webstore/report/joofmeiidadomccpmeaoagdogmbifhlh

Also give them a 1 star review and explain what happened, at the moment others are still at risk and you have a responsibility to inform them.





EDIT: blockchain.com isn't as secure as a wallet on your computers either (such as an encrypted electrum wallet). 

bitmover
Hero Member
*****
Offline Offline

Activity: 728
Merit: 1242



View Profile
November 28, 2018, 09:56:32 PM
Merited by dbshck (3)
 #3

Well, first thing change your browser to a more reliable one, such as Firefox.

Were you logged on blockchain.com wallet when you installed the add-on?
Did you do all the security steps in blockchain.com wallet? Did you use 2fa, for example?

Often people don't follow basic security steps which are recommend by the services...maybe a 2fa could have avoided this.

Answering yohr questions:

1- blockchain.com wallet is not the safest, however its not a scam, and it is a nice initiative for newbies. It is easy to use and if you all follow all recommended security steps, you are *somehow* safe, but you should never use it for high amounts.
The add-on probably installed some kind of malware and , if you were already logged, easy to get...or if you had no 2fa and password was saved in browser?

2-i would definitely format it. Additionally, I would buy a ledger nano from the official retailer. https://www.ledger.com

3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.

Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 994
Merit: 308



View Profile WWW
November 28, 2018, 10:07:07 PM
 #4


Were you logged on blockchain.com wallet when you installed the add-on?

Yes.


Did you do all the security steps in blockchain.com wallet? Did you use 2fa, for example?


Did not use 2FA.

💰 Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com --> Visit: http://www.get-paid.com 💰

🍀 Follow our Twitter account for our Faucets here --> Visit: https://twitter.com/cryptosfaucets 🍀
bob123
Legendary
*
Offline Offline

Activity: 1134
Merit: 1652



View Profile WWW
November 28, 2018, 10:17:32 PM
Merited by dbshck (3), LoyceV (2)
 #5

1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?

If your 'admin' was logged into the account AND the addon has rights to 'view all sites and interact with them' (has to be accepted when installed), then the addon can do whatever it wants to.

Blockchain.com is a web wallet. Each other type of wallet is more secure than a web wallet.

However, this shouldn't happen. A malicious addon can indeed steal your funds this way.



2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.

He probably(!) doesn't need to format his laptop. Changing all passwords wouldn't hurt (at least those saved in chrome AND from sites visited while the addon was installed).



3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?

Malicious addons have been used since years to steal secret information (passwords).

Might give us information about the addon, so that we can report it to google ?

Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 994
Merit: 308



View Profile WWW
November 28, 2018, 10:34:56 PM
 #6

Might give us information about the addon, so that we can report it to google ?

Thanks for trying to help, this info was given above in the first post:


💰 Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com --> Visit: http://www.get-paid.com 💰

🍀 Follow our Twitter account for our Faucets here --> Visit: https://twitter.com/cryptosfaucets 🍀
WebdeveIoper
Copper Member
Jr. Member
*
Offline Offline

Activity: 81
Merit: 1


View Profile WWW
November 28, 2018, 11:39:01 PM
 #7

Installing random chrome plugins is like opening random .exe files, very dangerous. I just use Opera and the only addon I use is uBlock Origin. I rather stay safe then sorry.

zupdawg
Hero Member
*****
Offline Offline

Activity: 672
Merit: 508


View Profile
November 29, 2018, 12:17:17 AM
 #8

Someone posted here a scam (Crypton-Exchange.net), one of our admins was naive to try it, and the site told him to install an addon in order to withdraw the funds, naively he installed it and now we realized someone withdrew $2,300 from our Blockchain.com account (money that we intended to use to pay publishers, sadly is gone now).

The money was sent to 16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S
https://www.blockchain.com/btc/tx/0fe187e55c07772d47d1c588c80195f5977aa139d814feb39bdab968253c8f60

The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org

Few questions:

1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?
2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.
3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?



I mostly fall to them on their first try, gladly I am not that fool to install the said ad-on.

1. before you install the said ad-on, it will ask for the user permission to be able to edit and read the datas on most used crypto websites and email providers
2. Not sure about this one but a reformat is better

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
bitmover
Hero Member
*****
Offline Offline

Activity: 728
Merit: 1242



View Profile
November 29, 2018, 01:44:46 AM
 #9


Were you logged on blockchain.com wallet when you installed the add-on?

Yes.


Did you do all the security steps in blockchain.com wallet? Did you use 2fa, for example?


Did not use 2FA.

I believe the add-on didn't have any access to your passwords then. It could only somehow Access your wallet that was already logged in in the same browser.... :/

electronicash
Legendary
*
Online Online

Activity: 1540
Merit: 1008


CryptoTalk.Org - Get Paid for every Post!


View Profile WWW
November 29, 2018, 01:52:10 AM
 #10

this the reason why 2FA can be useful in a way. 
i would suggest to reinstall the OS, wipe out everything just to make sure its safe to use the computer again. some hackers leave a bug that will connect to repositories and install a program in the background and then again collect data from you.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.YoBit AirDrop $.|.Get 700 YoDollars for Free!.🏆
Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 994
Merit: 308



View Profile WWW
November 29, 2018, 06:30:16 AM
 #11

this the reason why 2FA can be useful in a way. 
i would suggest to reinstall the OS, wipe out everything just to make sure its safe to use the computer again. some hackers leave a bug that will connect to repositories and install a program in the background and then again collect data from you.

We have done all this, 2FA is now activated.
We lost 0.52 BTC (around $2,300) - it was intended to pay publishers, we wish the thief that karma would hit him back for what he did, those bad people who like to steal money from others should be punished. Karma will take care of it.


💰 Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com --> Visit: http://www.get-paid.com 💰

🍀 Follow our Twitter account for our Faucets here --> Visit: https://twitter.com/cryptosfaucets 🍀
NeuroticFish
Legendary
*
Offline Offline

Activity: 2100
Merit: 1431


There are no mistakes. Only opportunities wasted.


View Profile
November 29, 2018, 06:39:43 AM
 #12

You may consider using proper stand alone/installed wallet on your computer. It should be safer than websites - at least this problem would have been avoided.
Also if you plan to proceed with bigger funds, a hardware wallet (or cold storage) would be the next step.

bob123
Legendary
*
Offline Offline

Activity: 1134
Merit: 1652



View Profile WWW
November 29, 2018, 07:03:00 AM
 #13

Thanks for trying to help, this info was given above in the first post:


Thanks for pointing out. I somehow missed the URL  Roll Eyes

I have filed a report regarding this browser extension.



It could only somehow Access your wallet that was already logged in in the same browser.... :/

Not only somehow, but most probably simply trough stealing cookies from the browser.

Stealing cookies is quite an easy approach to gather access to an account, logged in from the browser.

You can regard cookies as an identifier. Anyone who has this explicit cookie (which is assigned to user X in the database of website Y), has access to he account.



[...] we wish the thief that karma would hit him back for what he did, those bad people who like to steal money from others should be punished. Karma will take care of it.

Well.. to be honestly.. you basically asked for it. Installing shady add-on's with 1 rating AND using a web wallet is crying to get funds stolen.

While i do not support the behavior of stealing funds, this is one of the lowest-effort-steals i have come across on this forum.
The only one to blame, definitely is your 'admin'.

mocacinno
Legendary
*
Online Online

Activity: 1834
Merit: 1949


https://unblur.ninja =>lightning network testsite


View Profile WWW
November 29, 2018, 07:04:28 AM
 #14

I had the same plugin pushed to me from the owner of cryptrave.com. Usually i wouldn't fall for this trick, but i actually lost a family member on monday, and i was just browsing bitcointalk aimlessly without paying attention after the news actually hit me... I actually felt like playing with a no-deposit bonus would distract me a little bit, and i actually fell for the scammer's trick. Luckily I had the reflex not logging in to any funded wallet while the plugin was installed, so so far i wasn't robbed.

I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...
I have downloaded the plugin's sourcecode, but at the moment i don't have the energy to truely vet it... On a quick browse, i actually found the array where the hacker defined his wallet addresses for the different (alt)coins he's trying to steal:
t = [];
t.BTC = "16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S", t.ETH = "0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca", t.ETC = "0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5", t.BCH = "1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3", t.LTC = "LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP";

https://bitcointalk.org/index.php?topic=5076352

bob123
Legendary
*
Offline Offline

Activity: 1134
Merit: 1652



View Profile WWW
November 29, 2018, 07:36:11 AM
Merited by mocacinno (1)
 #15

I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...

If there is no chrome vulnerability which allows an extension to break out of the isolated environment (which i doubt currently), your local machine is not compromised.
Even if there were such a vulnerability, i heavily doubt that these developers would be able to exploit it.

Your saved passwords SHOULD be safe (again, if there is no vulnerability OR the developer aren't intelligent enough to make use of a potential vulnerability).

Your keepass database (local KeePass, not browser extension LastPass) is safe.
Your desktop wallets are safe too.

If the add-on had full access to each site you visit (which it probably had), all passwords which you have entered while it was installed can be (and most probably are) compromised.
Each data entered into the browser while it was installed can be compromised.


But the most important thing is, your local machine is safe.

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1624
Merit: 1442


https://bit.ly/387FXHi ← lightning theory


View Profile
November 29, 2018, 10:02:02 AM
 #16

Nothing to do with them. They do not have your wallet keyss....

Oh of course, you’re the guy who said to the other user to back up their wallet addresses Grin.

You seem a bit oddly too in the know of how the software works (or your interpretation of it, they probably do have the keys) so would you care to enlighten us as to how you yourself have been enlightened?

aplistir
Full Member
***
Offline Offline

Activity: 366
Merit: 170



View Profile
November 29, 2018, 10:52:43 AM
 #17

3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.
That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

My Address: 121f7zb2U4g9iM4MiJTDhEzqeZGHzq5wLh
bob123
Legendary
*
Offline Offline

Activity: 1134
Merit: 1652



View Profile WWW
November 29, 2018, 11:13:42 AM
 #18

3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.
That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

Sure, that's perfectly possible.

However, this would require one to create a malicous version of ledger live (or electrum) for this specific purpose.

And that's where the 2FA (confirming the TX on the ledger screen by physically pressing a button) comes into play.
If you confirm the amount + address, you're fine.



And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

Generating a 'similar looking address' is not as easy as you might thing.

Vanity gens need multiple hour/days/weeks to generate an address with 6 or 7 chosen chars.

So, if you want to generate a 'similar looking' address at runtime, you'll get 1 or 2 chars identical. The rest will be different.

That's the beauty of a big 'key space'.

bitmover
Hero Member
*****
Offline Offline

Activity: 728
Merit: 1242



View Profile
November 29, 2018, 12:08:01 PM
 #19

3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.
That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

Not that easy because you have to confirm the address in ledger nano led visor

Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 994
Merit: 308



View Profile WWW
November 29, 2018, 03:56:45 PM
 #20

I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...

If there is no chrome vulnerability which allows an extension to break out of the isolated environment (which i doubt currently), your local machine is not compromised.
Even if there were such a vulnerability, i heavily doubt that these developers would be able to exploit it.

Your saved passwords SHOULD be safe (again, if there is no vulnerability OR the developer aren't intelligent enough to make use of a potential vulnerability).

Your keepass database (local KeePass, not browser extension LastPass) is safe.
Your desktop wallets are safe too.

If the add-on had full access to each site you visit (which it probably had), all passwords which you have entered while it was installed can be (and most probably are) compromised.
Each data entered into the browser while it was installed can be compromised.


But the most important thing is, your local machine is safe.

Thanks for the info about this.
How certain are you regarding this information? (say on a scale of 1 to 10).

💰 Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com --> Visit: http://www.get-paid.com 💰

🍀 Follow our Twitter account for our Faucets here --> Visit: https://twitter.com/cryptosfaucets 🍀
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!