[SOLVED] MtGox Account Hacked & Beware Address 1ffaB9W2hj2pzp9djKupFfsaNn1L215FE

[BinaryMage]

My MtGox account was hacked about two hours ago this morning. Password is secure, computer uninfected. (Password changed immediately) MtGox shows a large number of support requests. Is this just my account or is something larger going on? Luckily, I didn't lose much, but I certainly would rather not have. The bitcoins were sent to address 1ffaB9W2hj2pzp9djKupFfsaNn1L215FE. Not likely that it will ever be used again, but I thought it prudent to keep record.

So, two questions. I was away from Bitcoin for awhile and have just come back, so I'm somewhat unfamiliar with the much-changed MtGox. Is it possible for me to somehow recover my Bitcoins, and if not, what security steps do I need to take to prevent this happening again, assuming the problem was on my end? My computer is firewalled and virus-protected. My password was alphanumeric, random, and long enough to make brute forcing astronomically unlikely. I use Peerblock and Tor, though not one-hundred-percent of the time. Any tips?

Oh, and I'm sorry if this is in the wrong forum; I wasn't entirely sure where to put it.

EDIT: Thanks to some helpful users, this problem has been solved. Turns out I just behaved stupidly and fell for a phishing scam. Thank you to everyone for your excellent help!

[sadpandatech]

Did you have the same money sitting on it while you were away?  Just seems strange, if so, that it would have sat there and then get snatched after you come back.

Sounds like you are taking appropriate steps. I assume you have an email that is used just for Gox and it is/was using a different password from your Gox account?

[BinaryMage]

Did you have the same money sitting on it while you were away?  Just seems strange, if so, that it would have sat there and then get snatched after you come back.

Sounds like you are taking appropriate steps. I assume you have an email that is used just for Gox and it is/was using a different password from your Gox account?

Yes, I did have it on my account, probably for about four months. It was minimal and I'd never bothered to withdraw it. My email is not used for solely Mt.Gox, but it has and always has had a different password and two-step verification, so I doubt it's been hacked. (And it's a Gmail account, not hosted locally, so as secure as Google's servers are)

[sadpandatech]

Did you have the same money sitting on it while you were away?  Just seems strange, if so, that it would have sat there and then get snatched after you come back.

Sounds like you are taking appropriate steps. I assume you have an email that is used just for Gox and it is/was using a different password from your Gox account?

Yes, I did have it on my account, probably for about four months. It was minimal and I'd never bothered to withdraw it. My email is not used for solely Mt.Gox, but it has and always has had a different password and two-step verification, so I doubt it's been hacked. (And it's a Gmail account, not hosted locally, so as secure as Google's servers are)

  its just weird the money would sit there for 4 months and then disappear shortly after you come back. My gut tells me you got 'sniffed' somehow.

[BinaryMage]

its just weird the money would sit there for 4 months and then disappear shortly after you come back. My gut tells me you got 'sniffed' somehow.

Certainly possible. If so, what steps should I take to prevent it happening again, other than changing my password, which I've already done? My computer is on wireless, but I live essentially in the middle of nowhere; no one else lives within my wireless range, and I would certainly know if anyone got close enough to access it.

[SgtSpike]

Did you have the same money sitting on it while you were away?  Just seems strange, if so, that it would have sat there and then get snatched after you come back.

Sounds like you are taking appropriate steps. I assume you have an email that is used just for Gox and it is/was using a different password from your Gox account?

Yes, I did have it on my account, probably for about four months. It was minimal and I'd never bothered to withdraw it. My email is not used for solely Mt.Gox, but it has and always has had a different password and two-step verification, so I doubt it's been hacked. (And it's a Gmail account, not hosted locally, so as secure as Google's servers are)

  its just weird the money would sit there for 4 months and then disappear shortly after you come back. My gut tells me you got 'sniffed' somehow.

Agreed.  You had to have a keylogger or spyware on your computer.  The most recent time you logged on, a hacker got your login info, then used it to steal your coins.

Just because you have an antivirus application installed does not mean you don't have a virus!  I'd throw several scanners at it (Malwarebytes included) to see if it finds anything.

[ineededausername]

ha!  Whoever hacked you is a major idiot.  Rather than waiting for more money, they withdrew your 0.3 BTC and alerted you to their presence

[FlipPro]

Why is this on the main discussion section?

Should have guarded your account better, moving on..

[BinaryMage]

Just because you have an antivirus application installed does not mean you don't have a virus!  I'd throw several scanners at it (Malwarebytes included) to see if it finds anything.

Ran a full scan with Malwarebytes and ESET. Found nothing out of the ordinary. (Flagged some files in Metasploit install directory and the Ufasoft bitcoin miner, none of which were actual viruses)

ha!  Whoever hacked you is a major idiot.  Rather than waiting for more money, they withdrew your 0.3 BTC and alerted you to their presence

Yeah, I agree, it wasn't a good move. Lucky me.

Why is this on the main discussion section?

Should have guarded your account better, moving on..

I must say I'm not entirely sure what the point of your post was. I put it in the general section because I wasn't sure where to put it, as I stated in the first post. If you can tell me where I should have put it, please do so, but just saying that it's in the wrong section doesn't help me much; I'm afraid I'm not psychic. I obviously didn't guard my account well enough, as it was hacked, and that is why I came for advice on how to guard it better. If you have any tips, they would be much appreciated.

[SgtSpike]

Possible that it's a new piece of malware not yet detected by A/V too... you never know.

Oh, did you receive any emails from MtGox?  Did you click on any of them?

[Rassah]

I hope you didn't choose tobecome a "MtGox Verified User" a few days ago

[BinaryMage]

I hope you didn't choose tobecome a "MtGox Verified User" a few days ago

Oh damn. That would be it. I thought that was a strange email. Had just been getting back into Bitcoins, hadn't yet read the forums, thought it was some verification program because my account had been inactive for awhile. I probably did indeed click the link in that email. Seemed to take me to their actual website. Well, I'm at least glad they only got about a dollar worth of BTC. What nature of hack was that, and should changing my password be enough?

[ineededausername]

I hope you didn't choose tobecome a "MtGox Verified User" a few days ago

Oh damn. That would be it. I thought that was a strange email. Had just been getting back into Bitcoins, hadn't yet read the forums, thought it was some verification program because my account had been inactive for awhile. I probably did indeed click the link in that email. Seemed to take me to their actual website. Well, I'm at least glad they only got about a dollar worth of BTC. What nature of hack was that, and should changing my password be enough?

oh wow... so they managed to get someone with that. :\

[sadpandatech]

I hope you didn't choose tobecome a "MtGox Verified User" a few days ago

Oh damn. That would be it. I thought that was a strange email. Had just been getting back into Bitcoins, hadn't yet read the forums, thought it was some verification program because my account had been inactive for awhile. I probably did indeed click the link in that email. Seemed to take me to their actual website. Well, I'm at least glad they only got about a dollar worth of BTC. What nature of hack was that, and should changing my password be enough?

  Good catch, Rassah.  Yea, change your gox password and of course your email password. Do the email first. I'd probably go as far as just making a new email acct and changing that too for Gox.

  Only good advice I can give you, since you use peerblock and tor, is of course to make sure to use them that 100% of the time. And, never respond to emails. Any time you get an email informing you to do something go to the site directly and not via the email itself.  I'm suspicious of ANY email I get these days. The guys phishing spend a lot more time than they used to on making it look as legit as possible. Another option, depending on how strong your mail client is, would be to block ALL emails except those that originate from the mail host of the service/site you are using that email for. And here, I am not sure off hand which mail services check the source to rule out spoofed headers. So, check those headers, always. =)

  Cheers

[Rassah]

I hope you didn't choose tobecome a "MtGox Verified User" a few days ago

Oh damn. That would be it. I thought that was a strange email. Had just been getting back into Bitcoins, hadn't yet read the forums, thought it was some verification program because my account had been inactive for awhile. I probably did indeed click the link in that email. Seemed to take me to their actual website. Well, I'm at least glad they only got about a dollar worth of BTC. What nature of hack was that, and should changing my password be enough?

The link in that email just takes you to something like mlgox.ni or something, instead of MtGox.com. Just standard phishing email with an address that looks legit if you don't look too close. Someone else was complaining about how they almost fell for it because they couldn't quite make out the url on their small mobile phone screen.

[SgtSpike]

At least we found the source of the problem... that doesn't always happen!

[BinaryMage]

oh wow... so they managed to get someone with that. :\

Yup. Man, do I feel stupid... First time I've ever fallen prey to that sort of thing. Ah well, losses were minor; it ended much better than it could have.

 Good catch, Rassah.  Yea, change your gox password and of course your email password. Do the email first. I'd probably go as far as just making a new email acct and changing that too for Gox.

  Only good advice I can give you, since you use peerblock and tor, is of course to make sure to use them that 100% of the time. And, never respond to emails. Any time you get an email informing you to do something go to the site directly and not via the email itself.  I'm suspicious of ANY email I get these days. The guys phishing spend a lot more time than they used to mkaing it look as legit as possible. Another option, depending on how strong your mail client is, would be to block ALL emails except those that originate from the mail host of the service/site you are using that email for. And here, I am not sure off hand which mail services check the source to rule out spoofed headers. So, check those headers, always. =)

  Cheers

Alright, thank you for the advice. I must have just not been paying attention... Usually I do check the headers, but apparently not this time... I suppose I'm also used to seeing phishing scams written in bad English. Seems Bitcoin at least has a higher class of phishers.

The link in that email just takes you to something like mlgox.ni or something, instead of MtGox.com. Just standard phishing email with an address that looks legit if you don't look too close. Someone else was complaining about how they almost fell for it because they couldn't quite make out the url on their small mobile phone screen.

Yeah, I thought it was a Japanese TLD. Or, to put it more accurately, I didn't think.... And then it redirected to the main site, so I didn't think much of it...

Thank you all for your excellent advice! It's wonderful to find the cause of this so quickly. It is quite refreshing to be back to these forums, one of the few places on the internet where you can expect civil, intelligent replies.

[sadpandatech]

No need to feel stupid, imho. Everyone has clicked on one of those damn things. Most people are just to proud to admit it. ;p

[MagicalTux]

Btw why is that page loading fine in browsers ?

Come on everyone, you know about http://www.google.com/safebrowsing/report_phish/ right ?

[BinaryMage]

No need to feel stupid, imho. Everyone has clicked on one of those damn things. Most people are just to proud to admit it. ;p

Being too proud to admit it is only one step away from being too proud to rectify it. And the latter is truly dangerous.