Yesterday I got what I thought was an email from localbitcoins.com administrators. It in fact turned out to be a phishing
scam which I didn't realize until after I clicked on the phishing link. The following is the email I received.
I know its not much but I say its open season to go after these guys and steal anything back from them that they have.
If you steal like that from someone I say you deserve to have 100X stolen back from you.
Just split anything you get with me. LOL. Yah I can dream right.
FROM:
[email protected] [email protected] via comcast.net
***
I cant see the full email header to get an IP but I wish I could. It looks like they somehow spoofed the email address.
If anyone knows how to get the full email header from GMAIL let me know and Ill add that information.
***
Hi,
This message is to alert you that your account has been temporarily flagged as potentially fraudulent due to information provided in a support ticket opened by another user.
Please confirm that you are the owner of this account by responding at your convenience before we proceed. Thank you.
https://localbitcoins.com/support/reply/787334/*****
This link ACTUALLY takes you here:
http://ammaraandlayla.com/v/login.htmThat website translates to here at an NSLOOKUP:
23.229.162.73
General IP Information
IP: 23.229.162.73
Decimal: 400925257
Hostname: ip-23-229-162-73.ip.secureserver.net
ISP: GoDaddy.com, LLC
Organization: GoDaddy.com, LLC
Services: None detected
Type: Corporate
Assignment: Static IP
Blacklist:
Geolocation Information
Country: United States us flag
State/Region: Arizona
City: Scottsdale
Latitude: 33.6119 (33° 36′ 42.84″ N)
Longitude: -111.8906 (111° 53′ 26.16″ W)
Area Code: 480
Postal Code: 85260
*****
Best regards,
Edgar
LocalBitcoins.com (automated message)
Immediately after I realized what happened I changed my password and even went as far as resetting the google authenticator 2 form factor authentication so it would be on a new authentication string for extra caution.
I then immediately submitted a ticket to Localbitcions.com alerting them about what I received and to inform them
that their could be potential hackers attacking their website.
I figured that all was well and I would be safe. Id reset my password AND reset the two form factor authentication so they would need my phone to do anything with my account right. I WAS WRONG!!!
About 2 hours later, I noticed my wallet balance at Localbitcoins was ZERO. Now, I only lost 0.5BTC but this was just a kick in my chest to think that even with the two form factor authentication AND a new password that was 32 characters long and has everything from uppercase, lowercase, numbers, special characters, EVERYTHING, it was still hacked in less than 2 hours.
NOW I was just fuming. I opened another ticket with Localbitcoins.com to tell them
what just happend after I told them their site may be compromised.
Here is the transaction if anyone can do anything with it.
06/30/2014 20:54 0.5 Sent to 1D8niJyfQrfiUpgXe36s8M9QFiw2xgCXD4
txid e377545df538d973f23dc93f9392cc2a4109779029ab04176f97fb49d4251ee5
The replies I got back made me even more upset and untill now, the staff at Localbitcoins.com has not compensated
me for an anauthorized access of my account from ANOTHER COUNTRY. I live in Japan and proved the IP address my PC was using.
Then what shocked me was their staff sent me all the transaction logs and the IP addresses from the attackers so to me its opens season on these guys. Ill be posting in the bitcointalk forums to get the guys who have fun with that stuff to track these guys down if they can.
So, the part that has upset me the most is the COMPLETE lack of security at their website.
I had two form
factor security set up and they still managed to log into my account and send off the funds from my wallet.
When they replied to me they said they would not help me and would not compensate me to return the stolen funds.
This is beyond unacceptable to me.
1st, their site security is obviously VERY VERY lax. I reset my password and it was hacked at the site in minutes.
2nd, their security is obviously not very good when they can bypass the two form factor authentication. I mean my phone is in Japan and the attackers were in the USA. Obviously the hackers were able to access the website to pull
information they needed to bypass the 2 form factor authentication or to reproduce mine.
3rd, they have no security to protect you account when people log in from a completely different country
and they dont
stop them. They dont have ANY kind of protection that locks your account when such a login after unsuccessful logins occur from ANOTHER country. Such a thing should lock your account and require you to authenticate your identity from
an email from the site and a call or text to your registered telephone number.
The whole thing stinks to me and I wonder how many other people have been hacked.
Im including the unauthorized access to my account as well just as an FYI for you if you can do anything with it.
Also on a final note, I just noticed that after my complaints to the site yesterday, they now require a human verification
captcha login requirement AFTER they got hacked and my BTC was stolen. I think its all too little too late and they are a prime target for hackers and are doing nothing to protect its customers, and will do nothing after their customers are robbed:
Here are replies I got form the site:
Ive added notes to what IP was me and what was the one who hacked the site.
Please tell us what IP is the one from the attacker since there is many different and we only can recognize the one who withdraw your funds:
Really admin idiots? You cant tell WHO withdrew the funds?
Obviously the one that says SEND FROM WALLET and the one who was NOT me changing my password
like I told you I would do to prove what PC and IP I was using at home. FKNG idiots!!!
XXXXXXX (0) June 30, 2014, 2:54 p.m. Send from wallet 46.21.154.83 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
XXXXXXX (0) June 30, 2014, 2:45 p.m. Two-factor Phase 2 login 46.21.154.83 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
XXXXXXX (0) June 30, 2014, 2:37 p.m. Two-factor Phase 1 login 46.21.154.83 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
XXXXXXX (0) June 30, 2014, 2:22 p.m. Two-factor Phase 1 login
46.21.154.83 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
XXXXXXX (0) June 30, 2014, 1:05 p.m. Two-factor Phase 1 login 207.244.76.170 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
XXXXXXX (0) June 30, 2014, 1:03 p.m. Two-factor Phase 1 login 207.244.76.170 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
XXXXXXX (0) June 30, 2014, 1:03 p.m. SMS sent Content: Localbitcoins.com verification token: XXX
THIS WAS ME AT HOME VERIFYING MY TELEPHONE NUMBER.
XXXXXXX (0) June 30, 2014, 1:03 p.m. Two-factor Phase 2 login 118.15.15.241 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
THIS WAS ME AT HOME
XXXXXXX (0) June 30, 2014, 1:03 p.m.
Two-factor Phase 1 login 118.15.15.241 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
THIS WAS ME AT HOME
XXXXXXX (0) June 30, 2014, 1:01 p.m. Two-factor enabled 118.15.15.241 mobile
THIS WAS ME AT HOME RESETTING MY 2 form factor authentication to
setup the Google authenticator on a new authentication string.
XXXXXXX (0) June 30, 2014, 1 p.m. Logged in 207.244.76.170 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
XXXXXXX (0) June 30, 2014, 1 p.m. Two-factor disabled 118.15.15.241
THIS WAS ME AT HOME RESETTING MY 2 form factor authentication to
setup the Google authenticator on a new authentication string.
XXXXXXX (0) June 30, 2014, 1 p.m. Password change request 118.15.15.241
THIS WAS ME AT HOME RESETTING MY PASSWORD AFTER RECEIVING
THE EMAIL I REPORTED
XXXXXXX (0) June 30, 2014, 12:59 p.m. Password change request 118.15.15.241
THIS WAS ME AT HOME RESETTING MY PASSWORD AFTER RECEIVING
THE EMAIL I REPORTED
XXXXXXX (0) June 30, 2014, 12:57 p.m. Failed login attempt 207.244.76.170 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
XXXXXXX (0) June 30, 2014, 12:55 p.m. Failed login attempt 207.244.76.170 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
THIS WAS THE HACKER
--- Best regards, Edgar
General IP Information
IP: 46.21.154.83
Decimal: 773167699
Hostname: 83.154.21.46.in-addr.arpa
ISP: Swiftway Sp. z o.o.
Organization: Dedicated-servers
Services: None detected
Type: Corporate
Assignment: Dynamic IP
Blacklist:
Geolocation Information
Country: United States us flag
Latitude: 38 (38° 0′ 0.00″ N)
Longitude: -97 (97° 0′ 0.00″ W)
ALSO in the USA!!!
HOW CAN THEY HAVE MY PHONE???
They didnt seem to care or believe me.
General IP Information
IP: 207.244.76.170
Decimal: 3488894122
Hostname: hosted-by.leaseweb.com
ISP: Leaseweb USA
Organization: Leaseweb USA
Services: None detected
Type: Corporate
Assignment: Static IP
Blacklist:
Geolocation Information
Country: United States us flag
State/Region: California
Latitude: 34.0522 (34° 3′ 7.92″ N)
Longitude: -118.2437 (118° 14′ 37.32″ W)
Their final response to me was the following that they would not be helping me and would not
refund my STOLEN BTC.
By Support.Localbitcoins
June 30, 2014, 10:14 p.m. - 12 hours ago
Hi,,
We can not reimburse your loss , since we are not responsible for where you click or the security breach you have in your device.
If the attacker got your authentication code by the phishing email I would suggest you to create a new account.
---
Best regards,
Edgar
In response to:
IT is impossible they got the NEW 2FA code because I JUST CHANGED it mins after I got the email.
AFTER I got the email, and yes I did click on the link I got, I saw that the address was not localbitcoins.com
and immediatley sent you the first case where I reported getting the email.
THEN, I changed my password seconds after I clicked on the link and realized it was a phishing site, AND I reset the 2 form factor authentication so it was on a new authentication string. How could they have that?
EVEN doing that, they still hacked your website and my account.
HOW IS THAT POSSIBLE.
THIS IS UNACCEPTABLE.
Here is what I want.
I want my 0.5BTC returned to me at this address:
1JxiQk4V1jgDSbWNMi2rgQL76hNbX1vFQC
I dont want to use this website again when it can be hacked so easily.
I TOLD YOU that I got something fishy, expected something, went as far as changing my password
AFTER I clicked on that link, and resetting my 2 form authentication, and they STILL hacked
your website. THAT IS UNACCEPTABLE.
If my 0.5BTC is not returned to me I will be reporting your website to the authorities in my
home city as FRADULENT.
This is unacceptable to me!!!
By Support.Localbitcoins
June 30, 2014, 10:14 p.m. - 12 hours ago
Hi,,
We can not reimburse your loss , since we are not responsible for where you click or the security breach you have in your device.
If the attacker got your authentication code by the phishing email I would suggest you to create a new account.
---
Best regards,
Edgar
