FreeBitco.in Appears Hacked - Monthly Prize Money Stolen From Multiple Users

[ixi1234]

Did someone got paid back already?

I still havent got an answer about a missing 21300€ from our accounts.

I didn't get it back. No answer was given. Does anyone have contact information for the admin of the fbc site?

[codergeek]

No response from support.

No response from TheQuin.


List of reported security vulnerabilities:

https://www.openbugbounty.org/reports/domain/freebitco.in/

[ixi1234]

Has anyone been contacted about the theft? I wrote several emails and personal messages to support, sent them a video of how the address changed during the withdrawal, but never received a response.

[Timelord2067]

I'm still getting near daily email (spams) from them which make no mention of any trouble.

Have none of you clicked "reply" and seen what happens?

[ixi1234]

I'm still getting near daily email (spams) from them which make no mention of any trouble.

Have none of you clicked "reply" and seen what happens?

I sent them messages to 2 email addresses( support@freebitco.in noreply@freebitco.in) and wrote a personal message on this site, and a message was also sent through the fbc website in the FAQ section. There is no feedback from them

[bnbstorm]

As a programmer I suggest all scammed users to check which browser extensions they have in common.
It is easier for extension to put any code inside any website so always use extensions that are neccessary and trusted.

I also want to ask how you guys are making so much money on fbc

[codergeek]

The only thing we seem to have in common is that our USER IDs were visible on the fbtc site.

For example the daily jackpot leaderboard and the wagering and referral contest leaderboards.

I have no browser extensions, system is updated daily and avast reports no issues.

The attacker claimed he used a known xss vulnerability to steal our funds.

Deposit and withdrawal addresses were manipulated among other things.

Fbtc knew or should have known about unpatched xss security vulnerabilities.

Bugbounty lists some of these unpatched security vulnerabilities:

https://www.openbugbounty.org/reports/domain/freebitco.in/

Here is an example of the injected malicious code used during the second wave of attacks:

https://pastebin.ai/eo0q78pbuj

[pinggoki]

I'm still getting near daily email (spams) from them which make no mention of any trouble.

Have none of you clicked "reply" and seen what happens?

Hopefully no one will risk clicking those emails, we may never know what's in there that might lead to the hackers extending their attack to more and more people. That sucks for Freebitcoin is having this kind of problem, it's a good thing that it's not them that's causing the problems and that it's the hackers. They still have some responsibility to it though and maybe improving in their security online and offline is probably their only solution to this one.

[bnbstorm]

The only thing we seem to have in common is that our USER IDs were visible on the fbtc site.

For example the daily jackpot leaderboard and the wagering and referral contest leaderboards.

I have no browser extensions, system is updated daily and avast reports no issues.

The attacker claimed he used a known xss vulnerability to steal our funds.

Deposit and withdrawal addresses were manipulated among other things.

Fbtc knew or should have known about unpatched xss security vulnerabilities.

Bugbounty lists some of these unpatched security vulnerabilities:

https://www.openbugbounty.org/reports/domain/freebitco.in/

Here is an example of the injected malicious code used during the second wave of attacks:

https://pastebin.ai/eo0q78pbuj

With XSS vuln. attacker cannot insert a script in your browser. So my concern again is that you should look for common extensions. Your ids were targeted because attacker was sure there are funds and did not want to ping normal users with uncertain balances.

[bnbstorm]

https://www.openbugbounty.org/reports/domain/freebitco.in/

As far as these vuln. are concerned they are patched already I have check one of un-patched. I think fbc does not update their bugs fixation there.

[codergeek]

I have no extensions on my fbtc device.

You cannot install chrome extensions on the chrome browser on android.

I really do appreciate your input.

Discussion is always healthy and can sometimes provide insight to a difficult problem.

[codergeek]

Cross Site Scripting (XSS)

Overview

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Reflected XSS Attacks

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site...

Stored XSS Attacks

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.

Blind Cross-site Scripting

Blind Cross-site Scripting is a form of persistent XSS. It generally occurs when the attacker’s payload saved on the server and reflected back to the victim from the backend application. For example in feedback forms, an attacker can submit the malicious payload using the form, and once the backend user/admin of the application will open the attacker’s submitted form via the backend application, the attacker’s payload will get executed.

Source: https://owasp.org/www-community/attacks/xss/


Further reading: https://owasp.org/www-community/Types_of_Cross-Site_Scripting

[bnbstorm]

I have knowledge about XSS. If you are using android then kindly make sure your browser is official and safe. And also check if you have some malware on your device.

XSS attack requires users to click on a link to get the script from attacker. Through XSS attack attacker cannot upload scripts to servers. It is like maybe you clicked on malicious link  from any source/forum/thread etc. Or your device is compromised. Which is very unlikely as this many users cannot get their devices compromised at same time. Also if devices were compromised then results would be worse.

Also check links you received through email because I am sure more of victims logged in from links in email. Maybe attacker can exploit a way to trigger automatic emails through some way.

These are all attack methods that I have learned and experience so far and most probably all possibilities for an XSS vulnerability to be exploited. Because without social engineering this attack vector is not so useful.

I am talking about XSS vulnerabilities reported on bug bounty platform shared before. If attacker have some server type access then it is worse

[ixi1234]

I don’t understand why FBC doesn’t respond, there is no reaction from them. It's a shame that they don't want to help deceived users

[Tercio]

I haven't searched deep in this thread, but are the addresses where the BTC were sent somehow one of your deposit addresses? The OP doesn't mention this detail, I think something fucky is going on, but not actually a scam.

I was wrong. The deposit address was the attacker address and was not actually an official deposit address linked to the users. The website was hacked either by a third party or an inside job.

[Wapfika]

I haven't searched deep in this thread, but are the addresses where the BTC were sent somehow one of your deposit addresses? The OP doesn't mention this detail, I think something fucky is going on, but not actually a scam.

It’s pretty obvious that the new address used is from unknown wallet address or else this will not be an issue at all since they will still receive their Bitcoin on their other wallet address.

The address use is from a hacker since I remember some of the victim track it and goes to unknown address that is not related to their withdrawal history. I believe the hacker manage to inject malware to players computer or on the freebitco.in side which never clear since the admin of the casino never answer this issue.

[Tercio]

I was investigating another user https://bitcointalk.org/index.php?topic=320959.msg64180553#msg64180553 that had something similar happen to them. But he noticed that the address was indeed one of his freebitco.in deposit. The money wasn't credited, but the on-chain transaction is indeed to his own deposit address.

If the OP of this thread didn't happen to check if the address is one of their deposit (and honestly, why would he?) it might be worth checking it out. If the deposit was indeed made to his own freebico.in wallet this indicate a fuck up of the automatic system they employ, and not fraud/scam/hack.

I was wrong. The deposit address was the attacker address and was not actually an official deposit address linked to the users. The funds are not actually in freebitco.in's hands. It was not a simple/weird bug. The website was hacked either by a third party or an inside job.

[Get-Paid.com]

The writing was on the wall and we posted about it 3 months ago, and yet, there are still bad-sses who attack us for being responsive to users and running 20 legitimate faucets for over 7 years (we started in 2017 and freebitco.in in 2013).

So let's say it again - the writing WAS ON THE WALL !

https://bitcointalk.org/index.php?topic=5487189.0

Hopefully someone would finally listen. It's not about just fixing a code, it's about getting control of your faucet.

They can't do it in the current structure, it's impossible.

[Wapfika]

The writing was on the wall and we posted about it 3 months ago, and yet, there are still bad-sses who attack us for being responsive to users and running 20 legitimate faucets for over 7 years (we started in 2017 and freebitco.in in 2013).

So let's say it again - the writing WAS ON THE WALL !

https://bitcointalk.org/index.php?topic=5487189.0

Hopefully someone would finally listen. It's not about just fixing a code, it's about getting control of your faucet.

They can't do it in the current structure, it's impossible.

The sign of them of collapsing is now getting clearer. Their lack of personnel despite they have lots of users using their service is one factor why the casino management will collapse just like this.

I’m not a faucet user anymore so I can’t relate to the details about their faucet but one thing is for sure that this casino never prepared for this kind of issue. Worst is the founder mismanaged the Bitcoin funds that result to this unimproved service even they are existing for a long time.

If the OP of this thread didn't happen to check if the address is one of their deposit (and honestly, why would he?) it might be worth checking it out. If the deposit was indeed made to his own freebico.in wallet this indicate a fuck up of the automatic system they employ, and not fraud/scam/hack.

Again the OP is high rank and known for being involved on many business. I doubt that he will be overlooked the address that he used in the past.

[Tercio]

OK, so that people no longer have doubts about how the address is being changed when withdrawing funds. At the end of the video, watch carefully how my output address was changed!!! I hope no one else will say that we are deceiving you and the site is not hacked!
https://dropmefiles.com/56V5d
https://ibb.co/PtqN3Mw
https://ibb.co/cgCnxQ1

Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?

This user too has had the email about withdrawing his money to his own freebitco.in deposit address (check the two image links)!! That's two people that have had ~this problem report this strange behaviour.

The problems are:

• 1. That shouldn't happen, lol
• 2. The deposit/withdrawl are made on-chain but aren't credited!

I strongly suspect BayAreaCoins's unkown address (15C8FetAcZ7fkdgf2FAHamwqX4EUE1zhgP) is actually one of his own freebitco.in old deposit address. The address doesn't seem to have been used by OP's before, but still, very worth checking! No matter how "high ranking" OP is, checking that the "attackers" address is actually an old deposit address is very non-obvious.