8 BTC loan request | Bitcointalksearch.org

jake262144

full member

Activity: 210

Merit: 100

That's an awsome job sieving out the compromised accounts, Theymos. Thumbs up!
Do you think we can we make a warning sticky out of this thread in a more visible place than Meta?

All I can say is, don't re-purpose passwords, damn it! Roll Eyes

At the very least add a pseudo-random suffix to the "core password" if you really can do no better:

Code:

1dJpoorpassword
bB4poorpassword
UxTpoorpassword
...

This approach will save you against a leaked password list being tested across multiple servers. Only three additional characters to remember in this example.

Also, it's not prudent to use the same username everywhere. Not only does this greatly simplify password attacks but it is also a hazard to your internet privacy.
Try adding some variation here as well, k? E.g.

Code:

jim
jimmy
jimbo
...

That significantly raises the bar for any attacker trying to track you across different servers.

theymos

administrator

Activity: 5222

Merit: 13032

Two of the people with compromised accounts report that they were using the same password they used on MtGox, so it seems likely that the MtGox list is the source.

PatrickHarnett

hero member

Activity: 518

Merit: 500

Quote from: theymos on January 28, 2012, 01:12:22 AM

You were right about epii. I found another IP and set of users taken by the attacker:
50.30.33.111
darvil, epii, Clarithium, borito4, tachi641, pharno, Iyeman

Thanks Theymos.

theymos

administrator

Activity: 5222

Merit: 13032

You were right about epii. I found another IP and set of users taken by the attacker:
50.30.33.111
darvil, epii, Clarithium, borito4, tachi641, pharno, Iyeman

BadBear

legendary

Activity: 1652

Merit: 1128

Quote from: dree12 on January 27, 2012, 08:07:40 PM

Quote from: BadBear on January 27, 2012, 07:23:53 PM

Just gonna leave this here.
https://lastpass.com/

My password is NTFS encryped and stored on my HD, only accessed when I need to log in. I don't see how LastPass will make this any better.

Then you aren't the target audience for the post Wink

dree12

legendary

Activity: 1246

Merit: 1077

Quote from: BadBear on January 27, 2012, 07:23:53 PM

Just gonna leave this here.
https://lastpass.com/

My password is NTFS encryped and stored on my HD, only accessed when I need to log in. I don't see how LastPass will make this any better.

BadBear

legendary

Activity: 1652

Merit: 1128

Just gonna leave this here.
https://lastpass.com/

Keninishna

hero member

Activity: 556

Merit: 500

Quote from: theymos on January 27, 2012, 04:58:21 PM

How was your account compromised? Did you have a very weak password?

A few other users claim to have had their accounts compromised today, though these users were just posting useless garbage, not scamming. The attacker seems to come from 83.167.240.*.

My password was probably medium strength but I haven't changed it since I registered on the forum. So its possible one of the forum leaks had compromised it.

bitlane

sr. member

Activity: 462

Merit: 250

I heart thebaron

Quote from: theymos on January 27, 2012, 05:19:48 PM

I'm pretty sure these accounts were compromised, so I've marked them all as scammers:
bitbetter
Gluskab
brunoshady
killer2021
kuba_10
Sjalq
madload

It looks like the attacker is just trying a few super common passwords on a bunch of user accounts.

Quote from: copumpkin on January 27, 2012, 05:02:28 PM

I'm not sure if this is legit or not, but this guy also hadn't posted in ages and then suddenly asked for a loan (and got one, sadly, and doesn't seem to have bothered giving any responses to questions after the loan request):

https://bitcointalksearch.org/user/epii-7110

He's using very different IP ranges, at least.

...further 'revenge' of the Mt.Gox email/password list again/still ?

theymos

administrator

Activity: 5222

Merit: 13032

I'm pretty sure these accounts were compromised, so I've marked them all as scammers:
bitbetter
Gluskab
brunoshady
killer2021
kuba_10
Sjalq
madload

It looks like the attacker is just trying a few super common passwords on a bunch of user accounts.

Quote from: copumpkin on January 27, 2012, 05:02:28 PM

I'm not sure if this is legit or not, but this guy also hadn't posted in ages and then suddenly asked for a loan (and got one, sadly, and doesn't seem to have bothered giving any responses to questions after the loan request):

https://bitcointalksearch.org/user/epii-7110

He's using very different IP ranges, at least.

JusticeForYou

vip

Activity: 490

Merit: 271

Quote from: copumpkin on January 27, 2012, 04:54:07 PM

Quote from: JusticeForYou on January 27, 2012, 04:51:12 PM

Quote from: Keninishna on January 27, 2012, 04:21:54 AM

well this has taught me to start using a pgp key or something.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

May I suggest signing your requests with a gpg signature. Then at least they will need to steal your forum password, your computer, your passphrase, and understand how to use gpg.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJPIxwyAAoJEB2k6OhXVIbD9OgP/1YuJkhHQt3dcvgexzh3XRcj
zQCz3xMy38pB1OgnSSkX5SfSJn7cIoTadGdRmB+bUXm0dv5uGZbKGSpd1JtvQAkO
4XgmwRpP9LePKf4/vIwsMgX3JtF97l9rJByJarxAbCyElLVfht7xaPrue6jYkOE2
VGHXlDCscJxMgNnB5kSUuPoae291gZWSDCGpB4BiuU38EJmRV2+PKhBkmI1KDSWj
Ddw9JhYOE9olm5Y5L5bHQF3bgRLRTBSFn973QKmFbGJicLwnIrrHoA3wTqtqBfGd
6/JJ+qnRPH96gFzZuVob784aZo81EIB8SrXqirDMzj1B3ap3P+yl4sG/rpdlRnyR
BtgNn7k5E6IeSZ6EQGQWpoY42UUZRV5/N6xK0T9mS7T2lTmEMKkg/ED9cKbb3Tad
urCTk7IIkHRPbHiEO73PX0EIeT2lbchjuFKuLkWrBpuKLykgDTp8ttiAyczCG2J2
xaeWYopEg0Rj7O/yYChCHJpz5BOr631jOnZc0oLrfZEAM3YjAepF1+DEAyo46kiB
DiFlbMW+hsoRQ+qRB8OPYtrohc1eUHD6FjOWj/pLQeKdnY/9gq4kRDTaqv4nrOMt
gr+79UoyDjjdD0VYRQ6PglfFHFuoToxP+6p3zJO2bkeTjtFQOxnTLHdilLLbsjFY
MXkl+jNhCbk60nwKhNlB
=2AV+
-----END PGP SIGNATURE-----

Well, the issue there is that there's no strong connection between someone's GPG identity and their forum identity. A scammer could easily generate a new key and sign messages with that. There need to be write-once fields in one's forum profile to set a key identity so nobody can change it after taking control of your account

Of course, depending on how badly compromised the forum gets, they could just change the field in the database and we'd be screwed either way. This is why we need a strong crypto-based decentralized loan/reputation system

Copumpkin,

Correct, I falsely assumed they would have a WoT correlation. Which if they didn't, I wouldn't 'loan' to them.

copumpkin

donator

Activity: 266

Merit: 252

I'm actually a pineapple

Quote from: theymos on January 27, 2012, 04:58:21 PM

How was your account compromised? Did you have a very weak password?

A few other users claim to have had their accounts compromised today, though these users were just posting useless garbage, not scamming. The attacker seems to come from 83.167.240.*.

I'm not sure if this is legit or not, but this guy also hadn't posted in ages and then suddenly asked for a loan (and got one, sadly, and doesn't seem to have bothered giving any responses to questions after the loan request):

https://bitcointalksearch.org/user/epii-7110

theymos

administrator

Activity: 5222

Merit: 13032

How was your account compromised? Did you have a very weak password?

A few other users claim to have had their accounts compromised today, though these users were just posting useless garbage, not scamming. The attacker seems to come from 83.167.240.*.

Keninishna

hero member

Activity: 556

Merit: 500

For an example loan request:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I need a loan for 8 btc
send to: 1QFgyRpGW2oX1JJHZvuaigW4ByDDVSbZVp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPIx0fAAoJEKHSMtujN58ELa4H/2oiIfvKLB7s/huM6/PsU8SR
PA86AWofv52xMb6L3iFnvEF+iaotmL43M8Py1FnJPHIQeA6q1xJFHBKVQzR3c1rJ
n2JiuyeZ6h9qtJg5WYeyhpuWZCxbOjyO/fmmhdCzF0pQoHHjKcwtqaR3HqDeYMnP
YK82bNXSMbl2BzHymDdC3Uymu/6/mPd6kcwkvk6E+548WPf2zadlvKvFaeffBJtJ
srxDoXv8fYmT+9pmAmbKVrwQqpMEAPkSmRhJwcLDpOs9Z0Cq2bPiHXFWiAZezB9U
+0cVAU5i2VPzcJrS6hMGM54iEjFaXU30rjKYqqV5PImSfMw11vhEM5BzT4Iwmhg=
=IFlf
-----END PGP SIGNATURE-----

copumpkin

donator

Activity: 266

Merit: 252

I'm actually a pineapple

Quote from: Keninishna on January 27, 2012, 04:52:59 PM

but the link in my sig points to an external site which the hijacker does not have control over. Plus the address is crypto signed by me which you can verify via open pgp http://www.slideshare.net/poustchi/how-to-use-openpgp-for-email-encryption-signing

My point is that the attacker can change your sig to point to another key on the same external site that's under his control, instead of yours. Or he could just change your sig to not point to a key at, and I doubt anyone would notice.

copumpkin

donator

Activity: 266

Merit: 252

I'm actually a pineapple

Quote from: JusticeForYou on January 27, 2012, 04:51:12 PM

Quote from: Keninishna on January 27, 2012, 04:21:54 AM

well this has taught me to start using a pgp key or something.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

May I suggest signing your requests with a gpg signature. Then at least they will need to steal your forum password, your computer, your passphrase, and understand how to use gpg.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJPIxwyAAoJEB2k6OhXVIbD9OgP/1YuJkhHQt3dcvgexzh3XRcj
zQCz3xMy38pB1OgnSSkX5SfSJn7cIoTadGdRmB+bUXm0dv5uGZbKGSpd1JtvQAkO
4XgmwRpP9LePKf4/vIwsMgX3JtF97l9rJByJarxAbCyElLVfht7xaPrue6jYkOE2
VGHXlDCscJxMgNnB5kSUuPoae291gZWSDCGpB4BiuU38EJmRV2+PKhBkmI1KDSWj
Ddw9JhYOE9olm5Y5L5bHQF3bgRLRTBSFn973QKmFbGJicLwnIrrHoA3wTqtqBfGd
6/JJ+qnRPH96gFzZuVob784aZo81EIB8SrXqirDMzj1B3ap3P+yl4sG/rpdlRnyR
BtgNn7k5E6IeSZ6EQGQWpoY42UUZRV5/N6xK0T9mS7T2lTmEMKkg/ED9cKbb3Tad
urCTk7IIkHRPbHiEO73PX0EIeT2lbchjuFKuLkWrBpuKLykgDTp8ttiAyczCG2J2
xaeWYopEg0Rj7O/yYChCHJpz5BOr631jOnZc0oLrfZEAM3YjAepF1+DEAyo46kiB
DiFlbMW+hsoRQ+qRB8OPYtrohc1eUHD6FjOWj/pLQeKdnY/9gq4kRDTaqv4nrOMt
gr+79UoyDjjdD0VYRQ6PglfFHFuoToxP+6p3zJO2bkeTjtFQOxnTLHdilLLbsjFY
MXkl+jNhCbk60nwKhNlB
=2AV+
-----END PGP SIGNATURE-----

Well, the issue there is that there's no strong connection between someone's GPG identity and their forum identity. A scammer could easily generate a new key and sign messages with that. There need to be write-once fields in one's forum profile to set a key identity so nobody can change it after taking control of your account

Of course, depending on how badly compromised the forum gets, they could just change the field in the database and we'd be screwed either way. This is why we need a strong crypto-based decentralized loan/reputation system

Keninishna

hero member

Activity: 556

Merit: 500

exactly

Quote from: JusticeForYou on January 27, 2012, 04:51:12 PM

Quote from: Keninishna on January 27, 2012, 04:21:54 AM

well this has taught me to start using a pgp key or something.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

May I suggest signing your requests with a gpg signature. Then at least they will need to steal your forum password, your computer, your passphrase, and understand how to use gpg.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJPIxwyAAoJEB2k6OhXVIbD9OgP/1YuJkhHQt3dcvgexzh3XRcj
zQCz3xMy38pB1OgnSSkX5SfSJn7cIoTadGdRmB+bUXm0dv5uGZbKGSpd1JtvQAkO
4XgmwRpP9LePKf4/vIwsMgX3JtF97l9rJByJarxAbCyElLVfht7xaPrue6jYkOE2
VGHXlDCscJxMgNnB5kSUuPoae291gZWSDCGpB4BiuU38EJmRV2+PKhBkmI1KDSWj
Ddw9JhYOE9olm5Y5L5bHQF3bgRLRTBSFn973QKmFbGJicLwnIrrHoA3wTqtqBfGd
6/JJ+qnRPH96gFzZuVob784aZo81EIB8SrXqirDMzj1B3ap3P+yl4sG/rpdlRnyR
BtgNn7k5E6IeSZ6EQGQWpoY42UUZRV5/N6xK0T9mS7T2lTmEMKkg/ED9cKbb3Tad
urCTk7IIkHRPbHiEO73PX0EIeT2lbchjuFKuLkWrBpuKLykgDTp8ttiAyczCG2J2
xaeWYopEg0Rj7O/yYChCHJpz5BOr631jOnZc0oLrfZEAM3YjAepF1+DEAyo46kiB
DiFlbMW+hsoRQ+qRB8OPYtrohc1eUHD6FjOWj/pLQeKdnY/9gq4kRDTaqv4nrOMt
gr+79UoyDjjdD0VYRQ6PglfFHFuoToxP+6p3zJO2bkeTjtFQOxnTLHdilLLbsjFY
MXkl+jNhCbk60nwKhNlB
=2AV+
-----END PGP SIGNATURE-----

Keninishna

hero member

Activity: 556

Merit: 500

but the link in my sig points to an external site which the hijacker does not have control over. Plus the address is crypto signed by me which you can verify via open pgp http://www.slideshare.net/poustchi/how-to-use-openpgp-for-email-encryption-signing

JusticeForYou

vip

Activity: 490

Merit: 271

Quote from: Keninishna on January 27, 2012, 04:21:54 AM

well this has taught me to start using a pgp key or something.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

May I suggest signing your requests with a gpg signature. Then at least they will need to steal your forum password, your computer, your passphrase, and understand how to use gpg.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJPIxwyAAoJEB2k6OhXVIbD9OgP/1YuJkhHQt3dcvgexzh3XRcj
zQCz3xMy38pB1OgnSSkX5SfSJn7cIoTadGdRmB+bUXm0dv5uGZbKGSpd1JtvQAkO
4XgmwRpP9LePKf4/vIwsMgX3JtF97l9rJByJarxAbCyElLVfht7xaPrue6jYkOE2
VGHXlDCscJxMgNnB5kSUuPoae291gZWSDCGpB4BiuU38EJmRV2+PKhBkmI1KDSWj
Ddw9JhYOE9olm5Y5L5bHQF3bgRLRTBSFn973QKmFbGJicLwnIrrHoA3wTqtqBfGd
6/JJ+qnRPH96gFzZuVob784aZo81EIB8SrXqirDMzj1B3ap3P+yl4sG/rpdlRnyR
BtgNn7k5E6IeSZ6EQGQWpoY42UUZRV5/N6xK0T9mS7T2lTmEMKkg/ED9cKbb3Tad
urCTk7IIkHRPbHiEO73PX0EIeT2lbchjuFKuLkWrBpuKLykgDTp8ttiAyczCG2J2
xaeWYopEg0Rj7O/yYChCHJpz5BOr631jOnZc0oLrfZEAM3YjAepF1+DEAyo46kiB
DiFlbMW+hsoRQ+qRB8OPYtrohc1eUHD6FjOWj/pLQeKdnY/9gq4kRDTaqv4nrOMt
gr+79UoyDjjdD0VYRQ6PglfFHFuoToxP+6p3zJO2bkeTjtFQOxnTLHdilLLbsjFY
MXkl+jNhCbk60nwKhNlB
=2AV+
-----END PGP SIGNATURE-----

someone703

full member

Activity: 944

Merit: 101

PredX - AI-Powered Prediction Market

Yup, sig thing won't be much good either like copumpkin mentioned.

Would be a pain, but maybe you should reformat your computer, install an anti-virus on it right away, then sign in and change your password and stuff up.

Topic: 8 BTC loan request (Read 3162 times)