FreeBitco.in Appears Hacked - Monthly Prize Money Stolen From Multiple Users - page 6.

codergeek

jr. member

Activity: 130

Merit: 3

Quote from: mindrust on May 04, 2024, 05:26:14 AM

...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)

Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address instead inserting the attackers address.

Drazen2003

jr. member

Activity: 57

Merit: 1

Quote from: mindrust on May 04, 2024, 04:33:55 AM

Quote from: codergeek on May 04, 2024, 03:46:14 AM

I didn't do anything. I certainly wasn't tricked into doing anything
I received an email notification that I had won a place in the wagering contest. I was expecting this email. I didn't click any links.
I opened chrome and clicked my freebitcoin bookmark to check if the prize money was in my account. It was. I was staring right at the balance. It disappeared. Went to zero. Then the referral coins started trickling in again.
Then I got an email notification about a pending withdrawal.
I hadn't done anything except open freebitcoin in chrome to check my balance.
After an hour the withdrawal was reversed and the coins returned to my account.
That's when I made the mistake of enabling 2FA

I think you got a fake email because the attacker already knew that you were going to be one of the winners of that contest. Who is the sender? Did it come from freebitco.in?

As the other victims pointed out, there seems to be a malicious script that’s targeting certain people. However this script loads on your browser. (Client-side) That means it has the ability to show you anything. Who knows what’s in that script… It can probably show a fake deposit address too.

That’s where you were getting tricked.

Just because you saw 0 balance didn’t mean you actually had 0 because your balance’s record kept at the back-end (server-side) of the application.

So till freebitco.in finds a fix, nobody should do anything stupid like sending coins to another wallet or deposit to a fake address. Better stay away for a while.

Some people managed to withdraw their coins successfully, maybe try that

In my case, stolen twice in the last month (one depositing from kraken to a "new" Diposit Address that appeared in the Freebitco.in Deposit window and another one making a widthdrawal introducing the address manually but when clicking the widthdraw button all changed (I have an screenshot just before clicking and the sent movement in the Stats - Profile page naming another address different to the one I wrote).

More than 48 hours later, my Deposit address continue being false and i have the cashtravel script in the developer tools. I have tested in 2 different PCs, 3 different navigators and 1 mobile phone. In all of them the Deposit address is not the mine one.

Then, i cannot recover my address, I cannot use the page. Freebitco.in have some emails but...

mindrust

legendary

Activity: 3276

Merit: 2442

I’d like to look when I am home but I am scared to touch that shit too as I also have an acc there.

I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)

codergeek

jr. member

Activity: 130

Merit: 3

Quote from: mindrust on May 04, 2024, 05:13:02 AM

That email looks legit. It is probably not a part of the attacker’s plan. Still though, like I said what you see on your browser isn’t the truth probably as the victims are loading a malicious script. As long as the backend of the app is safe, you shouldn’t worry. Hopefully it is safe Grin

Yes, understood. Thankyou.

I'd like to know more about this malicious script. Do you know if anyone has posted the script source code to Pastebin or simular.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: uneng on May 03, 2024, 11:57:35 AM

Quote from: Lucius on May 03, 2024, 04:37:30 AM

I advise everyone to refrain from making deposits until further notice, and to be extra careful when making withdrawals - I personally have a nice sum there, but I don't know if it's worse to do nothing for now or to still try to make a withdrawal Undecided

Just cashed out all my satoshis from the platform yesterday after reading all these news. Withdrawal went fine and arrived on my wallet without delays, as usual.
~snip~

Thanks for the info, because it means that the entire system is not compromised, but someone obviously has access to a part of the system that they are manipulating for malicious purposes. Given that in some posts it was possible to read that freebitco occasionally has help from the side, it is possible that one of the external collaborators decided to use their access to the system and the apparent current lack of control and supervision from the owner.

mindrust

legendary

Activity: 3276

Merit: 2442

That email looks legit. It is probably not a part of the attacker’s plan. Still though, like I said what you see on your browser isn’t the truth probably as the victims are loading a malicious script. As long as the backend of the app is safe, you shouldn’t worry. Hopefully it is safe Grin

codergeek

jr. member

Activity: 130

Merit: 3

Quote from: NABiT on May 03, 2024, 04:47:00 AM

Quote from: Lucius on May 03, 2024, 04:37:30 AM

I don't know if it's worse to do nothing for now or to still try to make a withdrawal Undecided

Similar quandary...

Yeah same. Sooner or later my balance will hit the minimum withdrawal threshold. Will the hackers attempt to strike again!?

I did nothing. Yet the hackers were still able to initiate a withdrawal of my entire balance, and overwrite my profile address.

The only thing that saved me was the payment request confirmation email.

Then I enabled 2FA and it was all gone.

In hindsight, if I hadn't enabled 2FA I'd still have my coins.

It was only $50. Fortunately I'd withdrawn April earnings before the wagering contest winners were announced.

It seems there's no way to defend against this attack other than to disable 2FA. Even so, that's no guarantee that deposits or withdrawals will be sent to an address you specify.

At least with 2FA disabled you'll get a payment request confirmation email and you can decide whether to approve the payment or not.

mindrust

legendary

Activity: 3276

Merit: 2442

Quote from: codergeek on May 04, 2024, 03:46:14 AM

I didn't do anything. I certainly wasn't tricked into doing anything
I received an email notification that I had won a place in the wagering contest. I was expecting this email. I didn't click any links.
I opened chrome and clicked my freebitcoin bookmark to check if the prize money was in my account. It was. I was staring right at the balance. It disappeared. Went to zero. Then the referral coins started trickling in again.
Then I got an email notification about a pending withdrawal.
I hadn't done anything except open freebitcoin in chrome to check my balance.
After an hour the withdrawal was reversed and the coins returned to my account.
That's when I made the mistake of enabling 2FA

I think you got a fake email because the attacker already knew that you were going to be one of the winners of that contest. Who is the sender? Did it come from freebitco.in?

As the other victims pointed out, there seems to be a malicious script that’s targeting certain people. However this script loads on your browser. (Client-side) That means it has the ability to show you anything. Who knows what’s in that script… It can probably show a fake deposit address too.

That’s where you were getting tricked.

Just because you saw 0 balance didn’t mean you actually had 0 because your balance’s record kept at the back-end (server-side) of the application.

So till freebitco.in finds a fix, nobody should do anything stupid like sending coins to another wallet or deposit to a fake address. Better stay away for a while.

Some people managed to withdraw their coins successfully, maybe try that

BayAreaCoins

legendary

Activity: 4004

Merit: 1250

Owner at AltQuick.com

Quote from: codergeek on May 04, 2024, 04:11:20 AM

Quote from: BayAreaCoins on May 04, 2024, 03:55:05 AM

Quote from: codergeek on May 04, 2024, 03:46:14 AM

That's when I made the mistake of enabling 2FA

Even with 2fa, my default profile address never changed...

Same here, my profile address never changed.

I didn't even attempt a withdrawal.

The hackers triggered the withdrawal seconds after the prize money was credited to my account, and somehow they managed to bypass my profile address.

Ouch, gotcha... Takes the sting out of me at least trying to get process a little less stingy... *sigh*

They must have been able to solve our 2fa "upgrade" for us... how kind.

codergeek

jr. member

Activity: 130

Merit: 3

Quote from: BayAreaCoins on May 04, 2024, 03:55:05 AM

Quote from: codergeek on May 04, 2024, 03:46:14 AM

That's when I made the mistake of enabling 2FA

Even with 2fa, my default profile address never changed...

Same here, my profile address never changed.

I didn't even attempt a withdrawal.

The hackers triggered the withdrawal seconds after the prize money was credited to my account, and somehow they managed to bypass my profile address.

BayAreaCoins

legendary

Activity: 4004

Merit: 1250

Owner at AltQuick.com

Quote from: codergeek on May 04, 2024, 03:46:14 AM

That's when I made the mistake of enabling 2FA

Even with 2fa, my default profile address never changed (pictured), and that's the withdraw I used.

2fa should protect... unless it's displaying a fake address, because I tripled checked that dude. (no emails notifying of account changes either)

I don't think it's by chance that the contest winners got hit. It was a big way to leak that amount at once for someone that is in the system, but doesn't have the private keys + requires action from the user. *shrugs*

I'm looking forward to an official answer or update...

codergeek

jr. member

Activity: 130

Merit: 3

I didn't do anything. I certainly wasn't tricked into doing anything

I received an email notification that I had won a place in the wagering contest. I was expecting this email. I didn't click any links.

I opened chrome and clicked my freebitcoin bookmark to check if the prize money was in my account. It was. I was staring right at the balance. It disappeared. Went to zero. Then the referral coins started trickling in again.

Then I got an email notification about a pending withdrawal.

I hadn't done anything except open freebitcoin in chrome to check my balance.

After an hour the withdrawal was reversed and the coins returned to my account.

That's when I made the mistake of enabling 2FA

mindrust

legendary

Activity: 3276

Merit: 2442

It seems to me the freebitco.in's backend works as it should but somebody found a way to inject a script on the front-end of the app and it manipulates the DOM and tricks you into doing the shit you shouldn't be doing.

Like: "You are hacked, send x amount of btc to this adress to get unhacked"

In reality, you weren't hacked at all. It is just what this script kiddie wants you to believe. Regardless of that, it should be handled asap.

uneng

hero member

Activity: 2044

Merit: 784

Leading Crypto Sports Betting & Casino Platform

Quote from: Lucius on May 03, 2024, 04:37:30 AM

I advise everyone to refrain from making deposits until further notice, and to be extra careful when making withdrawals - I personally have a nice sum there, but I don't know if it's worse to do nothing for now or to still try to make a withdrawal Undecided

Just cashed out all my satoshis from the platform yesterday after reading all these news. Withdrawal went fine and arrived on my wallet without delays, as usual.

It really seems only a few number of accounts are compromised, although we can't give ourselves the luxury of playing with luck there, because if there are any flaws on the system, and support team isn't concerned about it, nothing prevent us from being the next victims.

Personally, I prefer to retreat while I can.

It's really sad to see this new bombard of complaints against freebitco.in right after the novel it took for them to solve an issue with another user which didn't have his deposit credited for 6 months of waiting.

We can't trust so much a service which completely lost touch with its community.

Drazen2003

jr. member

Activity: 57

Merit: 1

Quote from: Lucius on May 03, 2024, 04:37:30 AM

It's a real shame that things like this happen with this service, and it seems to me that the owner can't (or doesn't want to) maintain his project the way he used to. When we add to that that the official representative on the forum no longer communicates with anyone (at least not publicly), then it is quite clear that things have gone downhill.

I advise everyone to refrain from making deposits until further notice, and to be extra careful when making withdrawals - I personally have a nice sum there, but I don't know if it's worse to do nothing for now or to still try to make a withdrawal Undecided

My advices if you decide to withdraw:

Verify your deposit address is the correct one clicking on the Deposit button in the home page.
Important: Even if it puts your correct address in the withdrawal window or you think that entering it by hand will work... don't do it. First check the previous point!!!
Go to developer tools in your internet navigator and in the source tab, take a look to the code in the path: Top > freebitco.in > ?op=home
Search in the right code "cash" or "cashtravel". If you find it, don't do anything because your account is compromised.
Pray because it seems nobody in Freebitco.in wants to investigate this TERRIBLE security issue.

Wapfika

hero member

Activity: 1288

Merit: 564

Bitcoin makes the world go 🔃

Quote from: Lucius on May 03, 2024, 04:37:30 AM

It's a real shame that things like this happen with this service, and it seems to me that the owner can't (or doesn't want to) maintain his project the way he used to. When we add to that that the official representative on the forum no longer communicates with anyone (at least not publicly), then it is quite clear that things have gone downhill.

Freebitco.in support is known for being slow to response here in the forum even when their website still running smoothly without this multiple issue occur. This slow support already backfire now when multiple users already have a same complaints which is related to security breach.

This issue was already pointed out to them multiple times yet they keep ignoring since they view most of the complaints here as hoax. Now that the real issue arises, no one from support or representative is available to answer the concern which is sucks since this is regarding a security breach.

They might suffer huge loss just because they have a very poor customer support.

NABiT

sr. member

Activity: 354

Merit: 259

Quote from: Lucius on May 03, 2024, 04:37:30 AM

I don't know if it's worse to do nothing for now or to still try to make a withdrawal Undecided

Similar quandary...

ixi1234

copper member

Activity: 67

Merit: 2

Quote from: Drazen2003 on May 03, 2024, 04:00:55 AM

Quote from: UserU on May 03, 2024, 03:37:53 AM

Quote from: ixi1234 on May 03, 2024, 12:44:43 AM

I see that several people have already been victims of a hacker attack on the fbc website. Is it really possible that we will be reimbursed for our losses?

By right, the victims should be compensated as long as the breach is verified on their end.

I hope so...

... but by the moment i have been stolen twice, my account is in danger because after more than 26 hours i see the wrong deposit address clicking the "Deposit" button and the cashtravel script then i cannot play, widthdraw or deposit (they has left my account to 0) and after some emails and facebook claim i haven't received any answer.

By right? Please, tell me how to ask for the compensation because i have screenshots and in fact, if you go to the Stats in my account it is so clear that the information does not fit with the real addresses i have got.

I have a similar situation. I cannot make an additional deposit because the deposit address was replaced with a false one and I cannot withdraw funds, since upon final confirmation of the withdrawal the address is automatically replaced with the address of the attackers and the funds go to them

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

It's a real shame that things like this happen with this service, and it seems to me that the owner can't (or doesn't want to) maintain his project the way he used to. When we add to that that the official representative on the forum no longer communicates with anyone (at least not publicly), then it is quite clear that things have gone downhill.

I advise everyone to refrain from making deposits until further notice, and to be extra careful when making withdrawals - I personally have a nice sum there, but I don't know if it's worse to do nothing for now or to still try to make a withdrawal Undecided

Drazen2003

jr. member

Activity: 57

Merit: 1

Quote from: UserU on May 03, 2024, 03:37:53 AM

Quote from: ixi1234 on May 03, 2024, 12:44:43 AM

I see that several people have already been victims of a hacker attack on the fbc website. Is it really possible that we will be reimbursed for our losses?

By right, the victims should be compensated as long as the breach is verified on their end.

I hope so...

... but by the moment i have been stolen twice, my account is in danger because after more than 26 hours i see the wrong deposit address clicking the "Deposit" button and the cashtravel script then i cannot play, widthdraw or deposit (they has left my account to 0) and after some emails and facebook claim i haven't received any answer.

By right? Please, tell me how to ask for the compensation because i have screenshots and in fact, if you go to the Stats in my account it is so clear that the information does not fit with the real addresses i have got.

Topic: FreeBitco.in Appears Hacked - Monthly Prize Money Stolen From Multiple Users - page 6. (Read 2849 times)