Pages:
Author

Topic: Hacked (Read 2537 times)

hero member
Activity: 770
Merit: 500
August 02, 2013, 05:28:55 PM
#35
Many reports on hacked macs today. I doubt your mail was compromised.
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
August 02, 2013, 05:04:14 PM
#34
I've never actually found one, I should go searching one of these days.
member
Activity: 97
Merit: 10
August 02, 2013, 05:02:36 PM
#33
It looks like it's AES encrypted -- I bet your password was already in a table somewhere.

Yes it's AES encrypted.  If you could PM me a table location, I can do a lookup.
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
August 02, 2013, 05:01:42 PM
#32
It looks like it's AES encrypted -- I bet your password was already in a table somewhere.
legendary
Activity: 1302
Merit: 1007
August 02, 2013, 04:08:43 PM
#31
A lot of phishing has been going on recently, perhaps you were a victim?
sr. member
Activity: 306
Merit: 250
Donations: http://tny.im/nx
August 02, 2013, 04:04:57 PM
#30
Some search results for Troj/JSRedir-BV:
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSRedir-BV/detailed-analysis.aspx
http://www.pc1news.com/news/1512/ebay-spam.html

Looks like something that appeared back in 2010.
My guess is that you accessed some page with malicious javascript embedded, and somehow the thing managed to stay in memory until your next login to blockchain.info, where attackers could get the password and the encrypted wallet. Or it may have been a trick using iframes, not so sure if that's possible and how it works.
Malware that replaces the JS files executed by the browser when on the blockchain.info wallet could also do it (since the thing runs on lots of JS), but from what I remember blockchain.info implements file signature checking to prevent tampering (or am I confusing with a browser extension that actually does that?).
Or you simply got tricked into logging in to a blockchain.info site that wasn't actually the true one... but that wouldn't get them the encrypted wallet, and your username and password alone wouldn't be enough because of the two factor auth thing.
member
Activity: 97
Merit: 10
August 02, 2013, 04:00:17 PM
#29
How does the wallet backup work?  Is it encrypted with that 8 letter 2 number password?  What hash does it use?  Post the hash of your password and I bet someone finds it in a lookup table.

PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.

PM'd
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
August 02, 2013, 03:54:37 PM
#28
How does the wallet backup work?  Is it encrypted with that 8 letter 2 number password?  What hash does it use?  Post the hash of your password and I bet someone finds it in a lookup table.

PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.
full member
Activity: 140
Merit: 100
August 02, 2013, 03:52:44 PM
#27
How good was your wallet password?  Could you post a similar dummy password here?  Thanks.

8 letters and 2 numbers

Unlike access to a computer system or a website where the administrators can simply not accept logins more more than once every two seconds and slow down brute force hacks, if someone has your wallet, they can sit there all day running automated scripts against it.

Someone using a desktop PC could get an 8 letter, 2 number password in a few days. Someone with more substantial processing power? A couple hours. The NSA? Probably less than a second.

My life became much easier when I abandoned memorizing passwords and started using a password manager. I no longer have passwords shorter than 17 characters, and most of them are between 23 and 60 characters long. All with mixed case, variable quantities of numerals and punctuation, and wherever the systems allow it I include characters from multiple languages in the high unicode registers.

&}vbrشJh7ç1SφH@NmMfIu/^Cyf4""Auzpה=)XЯQ7v«6AZ0zhɣ

…isn't a half bad password, except that now it's been posted to a public forum.

Edit to add: https://howsecureismypassword.net/ is a fun place to test out combinations. Best not to put actual passwords in there, of course. According to that site, the above password would take a desktop PC 74 untrigintillion years to crack. Frankly, I'd have to look up what an untrigintillion is but I think it involves a whole mess of zeroes.
member
Activity: 97
Merit: 10
August 02, 2013, 03:27:34 PM
#26
How good was your wallet password?  Could you post a similar dummy password here?  Thanks.

8 letters and 2 numbers
newbie
Activity: 20
Merit: 0
August 02, 2013, 02:48:45 PM
#25
How good was your wallet password?  Could you post a similar dummy password here?  Thanks.
member
Activity: 97
Merit: 10
August 02, 2013, 11:42:43 AM
#24
Thanks for everyone's input on this.

The prevailing theory seems to be that the wallet backup file sent to gmail was compromised.

The only other fact is that I did have an unauthorized login attempt on my blockchain account a few weeks back.
full member
Activity: 140
Merit: 100
August 02, 2013, 01:44:41 AM
#23
One trojan isn't pretty clean.

Depends. Whenever I do a virus scan I end up with dozens of OMFG messages. They are all Windows viruses and trojans from the 1990s, sitting in some piece of spam in my email archives that I didn't bother deleting 15 years ago. I consider that clean. *shrug*
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
August 02, 2013, 01:24:12 AM
#22
One trojan isn't pretty clean.
member
Activity: 97
Merit: 10
August 02, 2013, 12:26:44 AM
#21
E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.

This.  So much this.

So many people don't realize that nearly every email they send bounces around the internet completely unencrypted in plaintext for hackers to read.

If your password protecting your blockchain.info wallet was weak, then a hacker could capture it as it travels from blockchain.info to Google, and then check it against a rainbow table.  The 2 factor is only for logging into the website to receive the encrypted wallet.  Once they've got the wallet, they don't need the 2FA at all.

My best guess would be a password that exists in a rainbow table, but I suppose there are other possibilities.

Virus scans came up pretty clean ... one trojan Troj/JSRedir-BV

However, I did look back in my email history.  My last wallet backup was May 28th.

Also, I did get a few "Authorize log-in attempt" warnings emailed to me on July 15th and July 4th.

"An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:

Time: 2013-07-15 07:55:45
IP Address: 87.118.91.140 (Germany)
User Agent: Mozilla/5.0 "

The location does appear to match the location on the transaction in blockchain.info:
https://blockchain.info/tx/1174e27cd6de043ec081a68b52f455ba1548f35949c2ba2ddd3abc60f5a29840

I ignored the warning at the time, since I had 2FA on.

The stolen coins have now been moved.
https://blockchain.info/address/15B9RyqJGrJcqKmyMr8QUEocif9ATYuXBP
legendary
Activity: 3514
Merit: 4895
August 01, 2013, 11:25:47 PM
#20
E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.

This.  So much this.

So many people don't realize that nearly every email they send bounces around the internet completely unencrypted in plaintext for hackers to read.

If your password protecting your blockchain.info wallet was weak, then a hacker could capture it as it travels from blockchain.info to Google, and then check it against a rainbow table.  The 2 factor is only for logging into the website to receive the encrypted wallet.  Once they've got the wallet, they don't need the 2FA at all.

My best guess would be a password that exists in a rainbow table, but I suppose there are other possibilities.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
August 01, 2013, 09:55:53 PM
#19
I'm not seeing any unusual login activity to my gmail account so assuming that wasn't the case, I'm still a bit baffled how they could have gotten around the 2FA.

E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.

I am super paranoid about theft.  The only bitcoins I ever keep online are ones I plan to lose.

I use BlockChain.info myself sometimes, but the only thing I will do is import paper wallets, spend whatever I'm going to spend, and send the change to a fresh paper wallet, so my BlockChain balance is zero.  Their webcam QR code scanner makes paper wallets easy.  And this is only for small ad-hoc transactions.

If it's for any decent amount worth stealing, I will construct the transaction completely offline, get the raw hex for it, and then use a USB flash drive to introduce it to the network later (such as through Blockchain's handy https://blockchain.info/pushtx).  No sense in taking any chances.
legendary
Activity: 1274
Merit: 1004
August 01, 2013, 07:44:29 PM
#18
Well grab a av that's available for mac and scan your pc, rats are available for mac too and blockchain.info stores a copy of wallet in your browser's storage .
member
Activity: 97
Merit: 10
August 01, 2013, 07:37:23 PM
#17
Did blockchain.info generate this key or was this a brain wallet?

It was generated by blockchain.info
member
Activity: 97
Merit: 10
August 01, 2013, 07:36:53 PM
#16
its easy as shit to do, but he would have to know your blockchain.info account password, which he probably did if he was ablle to get into your account already.

just yesterday, i used an old wallet.aes.json backup to retrieve coins from my stolen laptop.

a little backstory: i made my first bitcoin wallet on blockchain.info, then exported the addresses to the bitcoin client on the laptop. the computer was stolen from my home last week. yesterday i found an old wallet back up and imported it into a new wallet at blockchain.info. it prompted me for the password to unencrypt the wallet, then for the secondary wallet password, then it asked me to prove i was human by solving a captcha, then bam i was at the login screeen ,where i logged into my new wallet and easily recovered the .4 btc that was in my bitcoin wallet on my laptop.

i'm sure the hacker did the exact same steps to steal your money.

I'm not seeing any unusual login activity to my gmail account so assuming that wasn't the case, I'm still a bit baffled how they could have gotten around the 2FA.

I'm pretty sure I was logged out.  But let's say I was still logged in to the browser.  What are the potential points of attack there?
Pages:
Jump to: