[2014-07-16] Data Breach Bulletin: Silk Road Bitcoin Prospective Bidder Loses $6

[erono]

http://www.forbes.com/sites/katevinton/2014/07/15/data-breach-bulletin-silk-road-bitcoin-bidder-loses-62000-to-phishing-scheme/

Silk Road Phishing – Three weeks ago, I reported on a breach that seemed more embarrassing than actually concerning—the U.S. Marshals Service accidentally CC’d 40 potential Silk Road Bitcoin bidders instead of BCC’ing them. Thanks to a phishing scheme that took advantage of this slipup, though, an Australian bidder lost 100 Bitcoin—worth an estimated $62,000—according to SC Magazine. Several of the 40 email recipients received a phishing email on June 21st, from someone who (falsely) claimed to be from BitFirm Productions, according to MoneyBeat. The email asked the recipient to participate in a survey for a media client, and those who agreed received a link to what was supposed to be a GoogleDoc. Instead, the link contained malware. When Sam Lee, co-founder of Bitcoins Reserve in Australia, clicked the link, his computer was infected with malware, allowing hackers to transfer 100 Bitcoin out of his account. Moral of the story? Don’t click links in emails. Just don’t do it.

[1715498095]

1715498095

[1715498095]

1715498095

[lyth0s]

http://www.forbes.com/sites/katevinton/2014/07/15/data-breach-bulletin-silk-road-bitcoin-bidder-loses-62000-to-phishing-scheme/

Silk Road Phishing – Three weeks ago, I reported on a breach that seemed more embarrassing than actually concerning—the U.S. Marshals Service accidentally CC’d 40 potential Silk Road Bitcoin bidders instead of BCC’ing them. Thanks to a phishing scheme that took advantage of this slipup, though, an Australian bidder lost 100 Bitcoin—worth an estimated $62,000—according to SC Magazine. Several of the 40 email recipients received a phishing email on June 21st, from someone who (falsely) claimed to be from BitFirm Productions, according to MoneyBeat. The email asked the recipient to participate in a survey for a media client, and those who agreed received a link to what was supposed to be a GoogleDoc. Instead, the link contained malware. When Sam Lee, co-founder of Bitcoins Reserve in Australia, clicked the link, his computer was infected with malware, allowing hackers to transfer 100 Bitcoin out of his account. Moral of the story? Don’t click links in emails. Just don’t do it.

One of the biggest problems there is why did he store 100 bitcoins on the same PC he uses to check his email etc with?

[Ron~Popeil]

You would think someone that has enough money on hand to bid in that auction would have better security in place. I hate to see anyone get robbed but even my tiny stake is protected better than that.

[freedomno1]

Wow that would suck not only did they lose the Silk Road Auction but their coins were stolen as well
It just goes to show that people sometimes don't follow the proper security procedures
That or they didn't have antivirus ?

[LiteCoinGuy]

http://www.forbes.com/sites/katevinton/2014/07/15/data-breach-bulletin-silk-road-bitcoin-bidder-loses-62000-to-phishing-scheme/

Silk Road Phishing – Three weeks ago, I reported on a breach that seemed more embarrassing than actually concerning—the U.S. Marshals Service accidentally CC’d 40 potential Silk Road Bitcoin bidders instead of BCC’ing them. Thanks to a phishing scheme that took advantage of this slipup, though, an Australian bidder lost 100 Bitcoin—worth an estimated $62,000—according to SC Magazine. Several of the 40 email recipients received a phishing email on June 21st, from someone who (falsely) claimed to be from BitFirm Productions, according to MoneyBeat. The email asked the recipient to participate in a survey for a media client, and those who agreed received a link to what was supposed to be a GoogleDoc. Instead, the link contained malware. When Sam Lee, co-founder of Bitcoins Reserve in Australia, clicked the link, his computer was infected with malware, allowing hackers to transfer 100 Bitcoin out of his account. Moral of the story? Don’t click links in emails. Just don’t do it.

One of the biggest problems there is why did he store 100 bitcoins on the same PC he uses to check his email etc with?

yep. alot of people are so stupid in storing their btc 

[cryptofan5]

http://www.forbes.com/sites/katevinton/2014/07/15/data-breach-bulletin-silk-road-bitcoin-bidder-loses-62000-to-phishing-scheme/

Silk Road Phishing – Three weeks ago, I reported on a breach that seemed more embarrassing than actually concerning—the U.S. Marshals Service accidentally CC’d 40 potential Silk Road Bitcoin bidders instead of BCC’ing them. Thanks to a phishing scheme that took advantage of this slipup, though, an Australian bidder lost 100 Bitcoin—worth an estimated $62,000—according to SC Magazine. Several of the 40 email recipients received a phishing email on June 21st, from someone who (falsely) claimed to be from BitFirm Productions, according to MoneyBeat. The email asked the recipient to participate in a survey for a media client, and those who agreed received a link to what was supposed to be a GoogleDoc. Instead, the link contained malware. When Sam Lee, co-founder of Bitcoins Reserve in Australia, clicked the link, his computer was infected with malware, allowing hackers to transfer 100 Bitcoin out of his account. Moral of the story? Don’t click links in emails. Just don’t do it.

I can't agree more: never click on any links in e-mails!

[runam0k]

One of the biggest problems there is why did he store 100 bitcoins on the same PC he uses to check his email etc with?

^ Actually, it's very much a problem for Bitcoin generally.  People need to be able to use Bitcoin on their home PC without fear of losing all their bitcoins.  Most people only have one PC!  Something like 2FA as standard for wallet apps would do it.  Granted, in this case, knowing he would likely be a target, the bitcoins should have been in cold storage.  However, if we ever expect parents, grandparents and less tech savvy people to use Bitcoin, they need to be able to do so using their home PC, with only basic virus and firewall protection.

(Actually, I'd recommend mobile phone apps above PC/Mac clients.  Mycelium is excellent for new users, if they have an Android phone.  The wallet is safe on the phone (and sending can be restricted by a pin number) and the backup Mycelium generates is easily printed and prepared.)

[Bit_Happy]

Treat every email as if you know it was sent by a hacker... 
..even better, delete them all without reading any, too much spam anyway.

[bitbouillion]

http://www.forbes.com/sites/katevinton/2014/07/15/data-breach-bulletin-silk-road-bitcoin-bidder-loses-62000-to-phishing-scheme/Moral of the story?

One of the biggest problems there is why did he store 100 bitcoins on the same PC he uses to check his email etc with?

... and encrypt and use a decent OS. It's so simple to do that. He made multiple mistakes. It's like having my intent and my home address public and then I leave the door open and put a pile of money on the table.

[cr1776]

...However, if we ever expect parents, grandparents and less tech savvy people to use Bitcoin, they need to be able to do so using their home PC, with only basic virus and firewall protection. ...

The problem is not (solely) with bitcoin, the problem is with insecure PCs (or bad Android PRNGs or bugs in OpenSSL etc).  

Blaming bitcoin is like saying, "if we expect people to use cash, they have to be able to do so with their wallets while at the same time allowing them to leave their wallets full of cash anywhere they visit and expecting them to remain secure overnight with anyone else being able to handle them."  Is it the fault of cash that the money would probably be stolen?  No, it is the fault of the person who leaves the wallet insecure - in this case both the OS manufacturer and the consumer who continues to buy an insecure OS.

I agree that if we expect others to use bitcoin security must be improved, but even grandparents know you can't leave cash on the counter with your house unlocked while you are out of town for the summer.  They need to learn the same thing about their Windows machine.  Perhaps if Microsoft, Google, Apple and other manufacturers were liable for security breaches, things would improve, but that is about as likely as the earth starting to reverse its spin in the next minute.


p.s.  The headline made me think this was going to be some type of joke - "... Loses $6".

[CoinMode]

http://www.forbes.com/sites/katevinton/2014/07/15/data-breach-bulletin-silk-road-bitcoin-bidder-loses-62000-to-phishing-scheme/

Silk Road Phishing – Three weeks ago, I reported on a breach that seemed more embarrassing than actually concerning—the U.S. Marshals Service accidentally CC’d 40 potential Silk Road Bitcoin bidders instead of BCC’ing them. Thanks to a phishing scheme that took advantage of this slipup, though, an Australian bidder lost 100 Bitcoin—worth an estimated $62,000—according to SC Magazine. Several of the 40 email recipients received a phishing email on June 21st, from someone who (falsely) claimed to be from BitFirm Productions, according to MoneyBeat. The email asked the recipient to participate in a survey for a media client, and those who agreed received a link to what was supposed to be a GoogleDoc. Instead, the link contained malware. When Sam Lee, co-founder of Bitcoins Reserve in Australia, clicked the link, his computer was infected with malware, allowing hackers to transfer 100 Bitcoin out of his account. Moral of the story? Don’t click links in emails. Just don’t do it.

The title of this post should be "[2014-07-16] Forbes: Silk Road Bitcoin Prospective Bidder Loses $62,000"

This is not my opinion.

[oceans]

I never open any email that looks fishy even in the slightest. I suggest everyone else do the same. I would never download anything that someone is trying to send over skype.
Also keep your coins stored offline will save you a lot of headache.

[aspiring]

Hi All,

Just came across the story, thanks for sharing your thoughts. The Forbes article is very poorly written, skewed the facts from source articles.

Please have a read of the below, which better summarises what actually happened.
http://www.abc.net.au/news/2014-07-03/melbourne-bitcoin-trader-loses-70000-to-hacker/5567292

• My computer was never infected with malware, it was a successful phishing attack that gave them access to my emails
• The hacker never "transferred" 100 bitcoins away all by themselves, it was sent to them by our staff after they carried out an elaborate social engineering edge case

If anything else, feel free to drop me a PM.

Cheers,
Sam