Author

Topic: Client just hacked (Read 78 times)

legendary
Activity: 2632
Merit: 1023
January 13, 2023, 09:01:09 AM
#1
 client was just hacked, it seems that attacker somehow gained access to all his saved google passwords with then allowed the hacker to get access to poloniex (did not have 2FA enabled) and the attacker also manage to get control of or partial control of

- 2 x yahoo accounts
- 2 X gmail accounts
- Facebook account
- and perhaps more
- we fought a battle over the last 24 hours putting 2FA's on anything that moved and changing all passwords to offline local solutions - which is no small task
- we assumed all his computers were compromised so - used off line solutions (air gapping) to institute new funds addresses, just in case

- the possible vectors were
- stats OSX recently installed though brew, or fan control through brew
- Recent Windows machine was purchased for the first time in years seems to have endless vectors.
- Use of a government wifi
-we can track it back to the google passwords because they contained the same passwords as where the attacker struck
- fortunately my client always checks his email regularly and so saw an unusual email in their yahoo account , that then disappeared indicating someone had accessed his polo account.
- They logged into their polo account and sent some funds to a fall back address, the usual small amount to test the fall back address was legit
- at that  point the attacker tried to move all the funds to their address
- My client was able to contact Polo as well as log in and cancer the transaction meaning the attacker had to try again
- the attacker also activated 2FA which froze funds but it was unclear if that freeze applied to existing transactions
- in any event - the funds were frozen and polo was very good in getting everything authenticate

we saw some emails sent to out fall back emails that showed where the attacker was trying.

It turns out they were using it seems a static IP address, with Chrome on a NT!!!? machine

his sign-in attempt was made on:

Device
chrome, windows nt
When
12 January 2023 at 4:19:58 am GMT-08:00
Where*
Australia
49.181.222.50 >>> Microplex PTY LTD, OPTUS

the same was also identified in our conversations with Polo

This IP needs to banned and shut down or the ip forwarding to it. We are pursing with legal authorities at the present, to good results, it seems the owner/attacker has been identified and will face prosecution, which have quite severe consequences in the relevant jurisdiction.

Shout out to polo they really came through. Thier quick action saved the funds.

The reason my client was 2FA adverse was they were worried about losing the 2FA access
Jump to: