Hi,
I would like to share my recent experience using freebitco.in.
There were some attack attempts on my account.
I have been using fbc for years and I've never had any serious problems with the platform.
So, to the point.
I have faced two issues. First one started about week ago.
1. Fake notification about change of deposit address.
There was a notification placed on the main page and looked exactly like any other notification on fbc.
You know, yellow rectangle in a frame.
Same colors, same fonts i.e:
https://www.talkimg.com/images/2024/04/11/jAOVP.png
There was an information about change in deposit address - something more or less like "Please note that your deposit address have been change to segwit P2SH format. Depositing to your old address will be charged of additional fee."
By clicking on Deposit button there was indeed new bitcoin address starting with digit '3...'
It looked very convincing, but I ignored this notification because I didn't plan to make any deposit soon.
I found at least three other users on this forum who faced the same issue:
Below you can find some other user's screenshot - I have just marked parts of this false notification. It's only partially visible in the background.
https://www.talkimg.com/images/2024/04/11/jAWpq.png
According to messages from these users, they actually deposit some funds to new addressees but they were never credited to their fbc account (they even posted their User IDs, TX hashes etc.).
Like I said before, I did not pay much attention to it because I didn't plan to make deposit, but this notification was somehow added/injected into html website code.
Notification looked very convincing but I just wasn't interested with it.
I simply ignored it and I was using fbc as usual.
Beside this notification everything looked and worked as always.
As usual I was claiming free rolls, WoFs, free spins from emails, playing Hi-Lo etc.
After few days, this notification disappeared and deposit address came back to the previous one - legacy format started with '1...'
My thoughts were that they just performed roll back from this change and that's all.
On 9th April I faced second issue.
2. XSS attack?
During another session in Hi-Lo game suddenly my account has been locked.
Instead of fbc website there was a blank page with a message:
"Your account is locked. Please contact @hallohap_1 on telegram or [email protected] email. Failure to comply will result to a lost of funds"
I was quite shocked.
I have only one account, I was never using any VPNs or bots.
As usual I was just using built-in feature "auto-bet" and that's all.
I sent a message to [email protected] asking what happened.
After few hits of refresh button in my browser blockpage has changed to:
"Your account is locked. Please contact @hallohap_1 on telegram or [email protected] email. Failure to comply will result to a lost of funds"
https://www.talkimg.com/images/2024/04/09/VeLqf.png
So, I sent the same message to new e-mail address.
Than started a typical ransom scheme. At this point I didn't know how attacker achieved it, so for me the threat was real.
I've got a response:
"Your browser is hacked. Send 0.5 btc to bc1qhrdvuxrealra5xm7qsu9tyh06k3frcrzuvsms7 to unlock it. Why trust me? I cant withdraw your money because it needs otp and email. Ill wait 1hr before I drain it"
I knew that sending 0,5 btc is pointless so I started to investigate this attack.
After some time I got another message from attacker that I'm running out time.
I tried to gain some time for myself by tricking him.
https://www.talkimg.com/images/2024/04/11/jHGF1.png
I wiped my entire browser history, tried on a different browser in private/incognito mode, I changed the device to clean PC with different operating system, I even changed DNS servers - everything was exactly the same - blank page with message about locked account.
And this all happened with 2FA enabled.
Then, I started checking logs. In developer tools built in browser I saw entries about loading of a strange js script under https://cashtravel.info/forum/main.js, I blocked it with a "NoScript!" browser plugin. and after that fbc page was unlocked.
Extremely stressed, no thinking much I went straight to Withdraw button and chose Instant Method.
At that point I didn't know how attacker performed this scam, so I was afraid that he will replace withdrawal address on the fly or hijack OTP - but I had no options.
Fortunately I was able to withdraw all my BTC funds.
Instant method worked out well and after ~30min I had all my funds confirmed and stored on my wallet.
How it happened?
I'm not sure.
I have enabled 2FA, I used clean device and issue was still visible. My fbc account email is used only for fbc purpose, so there was no chance for any phishing attacks.
I also don't believe that attacker actually compromise my entire network or all devices I have. For me its impossible or at least it would cost to much effort.
From my point of view attacker found some vulnerability in fbc or 3rd party service they use and managed to exploit it.
I suppose that attacker somehow inject link to external source with malicious script.
In the source code of this malicious script there were hardcoded user IDs. He managed to hijack sessions from specific users.
Why and how I was attacked?
I believe that attacker was targeting highrollers and taking user IDs from wagering leaderboard.
For few days in a row my user ID was shown in the top10 wagering contest.
It's hard to proof now anything.
At some point script was changed and removed.
Source of one version of this script can be found under https://pastebin.ai/eo0q78pbuj
This particular script was prepared to attack user with ID 31898443 who won daily jackpot on 2024-04-08.
At present there is no any script at https://cashtravel.info/forum/main.js
I believe that attacker delete it to cover his tracks.
On my account I still have injected link to malicious script.
I have blocked it from executing but it's still present in a html code.
https://www.talkimg.com/images/2024/04/09/j2Gi8.png
