Topic: Hacked (Read 2485 times)
I've never actually found one, I should go searching one of these days.
It looks like it's AES encrypted -- I bet your password was already in a table somewhere.
Yes it's AES encrypted. If you could PM me a table location, I can do a lookup.
It looks like it's AES encrypted -- I bet your password was already in a table somewhere.
A lot of phishing has been going on recently, perhaps you were a victim?
Some search results for Troj/JSRedir-BV:
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSRedir-BV/detailed-analysis.aspx
http://www.pc1news.com/news/1512/ebay-spam.html
Looks like something that appeared back in 2010.
My guess is that you accessed some page with malicious javascript embedded, and somehow the thing managed to stay in memory until your next login to blockchain.info, where attackers could get the password and the encrypted wallet. Or it may have been a trick using iframes, not so sure if that's possible and how it works.
Malware that replaces the JS files executed by the browser when on the blockchain.info wallet could also do it (since the thing runs on lots of JS), but from what I remember blockchain.info implements file signature checking to prevent tampering (or am I confusing with a browser extension that actually does that?).
Or you simply got tricked into logging in to a blockchain.info site that wasn't actually the true one... but that wouldn't get them the encrypted wallet, and your username and password alone wouldn't be enough because of the two factor auth thing.
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSRedir-BV/detailed-analysis.aspx
http://www.pc1news.com/news/1512/ebay-spam.html
Looks like something that appeared back in 2010.
My guess is that you accessed some page with malicious javascript embedded, and somehow the thing managed to stay in memory until your next login to blockchain.info, where attackers could get the password and the encrypted wallet. Or it may have been a trick using iframes, not so sure if that's possible and how it works.
Malware that replaces the JS files executed by the browser when on the blockchain.info wallet could also do it (since the thing runs on lots of JS), but from what I remember blockchain.info implements file signature checking to prevent tampering (or am I confusing with a browser extension that actually does that?).
Or you simply got tricked into logging in to a blockchain.info site that wasn't actually the true one... but that wouldn't get them the encrypted wallet, and your username and password alone wouldn't be enough because of the two factor auth thing.
How does the wallet backup work? Is it encrypted with that 8 letter 2 number password? What hash does it use? Post the hash of your password and I bet someone finds it in a lookup table.
PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.
PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.
PM'd
How does the wallet backup work? Is it encrypted with that 8 letter 2 number password? What hash does it use? Post the hash of your password and I bet someone finds it in a lookup table.
PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.
PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.
How good was your wallet password? Could you post a similar dummy password here? Thanks.
8 letters and 2 numbers
Unlike access to a computer system or a website where the administrators can simply not accept logins more more than once every two seconds and slow down brute force hacks, if someone has your wallet, they can sit there all day running automated scripts against it.
Someone using a desktop PC could get an 8 letter, 2 number password in a few days. Someone with more substantial processing power? A couple hours. The NSA? Probably less than a second.
My life became much easier when I abandoned memorizing passwords and started using a password manager. I no longer have passwords shorter than 17 characters, and most of them are between 23 and 60 characters long. All with mixed case, variable quantities of numerals and punctuation, and wherever the systems allow it I include characters from multiple languages in the high unicode registers.
&}vbrشJh7ç1SφH@NmMfIu/^Cyf4""Auzpה=)XЯQ7v«6AZ0zhɣ
…isn't a half bad password, except that now it's been posted to a public forum.
Edit to add: https://howsecureismypassword.net/ is a fun place to test out combinations. Best not to put actual passwords in there, of course. According to that site, the above password would take a desktop PC 74 untrigintillion years to crack. Frankly, I'd have to look up what an untrigintillion is but I think it involves a whole mess of zeroes.
How good was your wallet password? Could you post a similar dummy password here? Thanks.
8 letters and 2 numbers
How good was your wallet password? Could you post a similar dummy password here? Thanks.
Thanks for everyone's input on this.
The prevailing theory seems to be that the wallet backup file sent to gmail was compromised.
The only other fact is that I did have an unauthorized login attempt on my blockchain account a few weeks back.
The prevailing theory seems to be that the wallet backup file sent to gmail was compromised.
The only other fact is that I did have an unauthorized login attempt on my blockchain account a few weeks back.
One trojan isn't pretty clean.
Depends. Whenever I do a virus scan I end up with dozens of OMFG messages. They are all Windows viruses and trojans from the 1990s, sitting in some piece of spam in my email archives that I didn't bother deleting 15 years ago. I consider that clean. *shrug*
One trojan isn't pretty clean.
E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.
This. So much this.
So many people don't realize that nearly every email they send bounces around the internet completely unencrypted in plaintext for hackers to read.
If your password protecting your blockchain.info wallet was weak, then a hacker could capture it as it travels from blockchain.info to Google, and then check it against a rainbow table. The 2 factor is only for logging into the website to receive the encrypted wallet. Once they've got the wallet, they don't need the 2FA at all.
My best guess would be a password that exists in a rainbow table, but I suppose there are other possibilities.
Virus scans came up pretty clean ... one trojan Troj/JSRedir-BV
However, I did look back in my email history. My last wallet backup was May 28th.
Also, I did get a few "Authorize log-in attempt" warnings emailed to me on July 15th and July 4th.
"An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:
Time: 2013-07-15 07:55:45
IP Address: 87.118.91.140 (Germany)
User Agent: Mozilla/5.0 "
The location does appear to match the location on the transaction in blockchain.info:
https://blockchain.info/tx/1174e27cd6de043ec081a68b52f455ba1548f35949c2ba2ddd3abc60f5a29840
I ignored the warning at the time, since I had 2FA on.
The stolen coins have now been moved.
https://blockchain.info/address/15B9RyqJGrJcqKmyMr8QUEocif9ATYuXBP
E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.
This. So much this.
So many people don't realize that nearly every email they send bounces around the internet completely unencrypted in plaintext for hackers to read.
If your password protecting your blockchain.info wallet was weak, then a hacker could capture it as it travels from blockchain.info to Google, and then check it against a rainbow table. The 2 factor is only for logging into the website to receive the encrypted wallet. Once they've got the wallet, they don't need the 2FA at all.
My best guess would be a password that exists in a rainbow table, but I suppose there are other possibilities.
I'm not seeing any unusual login activity to my gmail account so assuming that wasn't the case, I'm still a bit baffled how they could have gotten around the 2FA.
E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.
I am super paranoid about theft. The only bitcoins I ever keep online are ones I plan to lose.
I use BlockChain.info myself sometimes, but the only thing I will do is import paper wallets, spend whatever I'm going to spend, and send the change to a fresh paper wallet, so my BlockChain balance is zero. Their webcam QR code scanner makes paper wallets easy. And this is only for small ad-hoc transactions.
If it's for any decent amount worth stealing, I will construct the transaction completely offline, get the raw hex for it, and then use a USB flash drive to introduce it to the network later (such as through Blockchain's handy https://blockchain.info/pushtx). No sense in taking any chances.
Well grab a av that's available for mac and scan your pc, rats are available for mac too and blockchain.info stores a copy of wallet in your browser's storage .
Did blockchain.info generate this key or was this a brain wallet?
It was generated by blockchain.info
its easy as shit to do, but he would have to know your blockchain.info account password, which he probably did if he was ablle to get into your account already.
just yesterday, i used an old wallet.aes.json backup to retrieve coins from my stolen laptop.
a little backstory: i made my first bitcoin wallet on blockchain.info, then exported the addresses to the bitcoin client on the laptop. the computer was stolen from my home last week. yesterday i found an old wallet back up and imported it into a new wallet at blockchain.info. it prompted me for the password to unencrypt the wallet, then for the secondary wallet password, then it asked me to prove i was human by solving a captcha, then bam i was at the login screeen ,where i logged into my new wallet and easily recovered the .4 btc that was in my bitcoin wallet on my laptop.
i'm sure the hacker did the exact same steps to steal your money.
just yesterday, i used an old wallet.aes.json backup to retrieve coins from my stolen laptop.
a little backstory: i made my first bitcoin wallet on blockchain.info, then exported the addresses to the bitcoin client on the laptop. the computer was stolen from my home last week. yesterday i found an old wallet back up and imported it into a new wallet at blockchain.info. it prompted me for the password to unencrypt the wallet, then for the secondary wallet password, then it asked me to prove i was human by solving a captcha, then bam i was at the login screeen ,where i logged into my new wallet and easily recovered the .4 btc that was in my bitcoin wallet on my laptop.
i'm sure the hacker did the exact same steps to steal your money.
I'm not seeing any unusual login activity to my gmail account so assuming that wasn't the case, I'm still a bit baffled how they could have gotten around the 2FA.
I'm pretty sure I was logged out. But let's say I was still logged in to the browser. What are the potential points of attack there?
Jump to: