Pages:
Author

Topic: How I got robbed of 34 btc on Mt.Gox today (Read 124869 times)

member
Activity: 69
Merit: 10
respecttheslider
April 22, 2013, 10:18:29 PM
100% Sun Microsystems Java plug-in's fault, absolute shit for security.

If you must install it limit it to run only in trusted domains.

Am running ESET NOD32 antivirus trial it won't even let me visit that exploit website.

-----------------
free trial 30day, continues to work after expiration will nag
http://www.eset.com/us/download/home/detail/family/2/?trl=ea

am using opera browser is lightweight and very fast no disk cache
http://www.opera.com/

ghostery addon for privacy ad remove and no cross site tracking
https://addons.opera.com/en/extensions/details/ghostery/



vip
Activity: 756
Merit: 503
Nice read but Dark Comet is not a highly advanced trojan. It's part of the standard script kiddies toolbox. Glad you got your bitcoins back.
mrb
legendary
Activity: 1512
Merit: 1028
bitbully, MtGox is not "vulnerable to different forms of web application attacks". Stop spreading FUD. People may say this, but they don't know what they are talking about.

I am a security professional and let me tell you that while MtGox used to be vulnerable to flaws like CSRF and XSS (back in 2010 / early 2011), it is not the same website anymore. It is today considered well-secured and well-designed: HTTPS, 2-factor auth, etc. To my knowledge there has been no known CSRF or XSS flaw in the last year or so. Although, as a security professional, I know that all big enough websites are bound to have flaws here and there, but again MtGox appears to be well-secured. Don't say that it is known to be "vulnerable to different forms of web application attacks".

As you said yourself, you were instead compromised by a local trojan: Dark Comet. No amount of web security features (other than 2-factor auth) can protect you from a local trojan running with all local privileges. You failed to use 2-factor auth and that is "how you got robbed of 34 BTC". You are right that MtGox should advertise 2-factor auth / Yubikey more, but no amount of explaining security to users is going to convince all of them to buy a Yubikey. MtGox even tried to offer free Yubikeys but some users still did not take the offer!

legendary
Activity: 1176
Merit: 1005
Well played, sir.

I have to say it's really great to see one of these stories with a happy ending for a change.  This is how it should be more often.
jr. member
Activity: 47
Merit: 1
UPDATE 4/21/13


It's been a long and hard journey, but I did it, I got my 34 bitcoins back.

First thank you to all those anonymous users out there who helped me track down the thief, and those who supported me throughout.

Luckily for me the stupid Canadian teenager who committed these crimes was very sloppy and left a massive trail which allowed us to identify him and target him on his turf @ hackforums.net. Mtgox never helped, they are the Achilles heel of bitcoin. They have overcentralized the exchanges, monopolized the control over bitcoin's value, and their customer service is non existant (I mean literally non existant, their live chat hasn't worked for weeks).

So how did I find this kid and get the coins? An amazing group of researchers put together valuable information, starting by contacting the file hosting site that hosted the trojan. They got the login and ip info and matched it to a user called PoutineCoutu across the net which has a few scam reports. We then found him highly active on hackforums.net where he was selling and GIVING AWAY bitcoins, which also matched all the activity to the bitcoin address where my coins went. He's so stupid he didn't even wash the coins and was selling them publicly. He even has multiple threads asking how to open ports on his firewall for his trojan C&C and that he is using a silent java drive-by script.

Reported to police (they are really no help, so much for paying their salary, seems they've gotten fbi reports about bitcoins and don't really like them, started asking if I pay taxes on them...), but at least I had a precedent to pursue. Tried contacting the thief, he blocked me and claimed I was blackmailing him all over the forums. This went on for a while. He was feeling the heat and dumped the coins to an offline exchange member, Xch4nge, which I tracked down immediately by tracking the coins on blockchain.info. Contacted him and what an amazing guy, helped me throughout the entire process and took alot of heat but basically a huge skid war erupted all across the forums, and he still held on to the coins for a week until finally the kid came to his senses realizing what he was doing is "bad" (and he might go to jail). He was arguing that it's okay he stole the coins from someone, but not okay someone "stole" the coins from him.

Finally he publicly agreed to allow the return of the coins. Throughout the entire process many people came to my help and provided me information about this person and one guy who goes to school with him even said that he's a $%@!. And the guy who sold him the Java script even apologized to me and said he's sorry that his script was responsible for my loss...

For the full story (if you have a few hours) go here:

http://www.scmagazine.com.au/News/339677,bitcoin-hacker-hunted.aspx
http://www.hackforums.net/showthread.php?tid=3402988
http://www.hackforums.net/showthread.php?tid=3418367&pid=32074125#pid32074125
http://www.hackforums.net/showthread.php?tid=3422032

As for the trojan and mtgox I have attached my final thoughts below.

I think this might be the first time ever someone got their bitcoins back Smiley


---------------------------------------------------------------------------------------------


Let this incident be a lesson to both me and Mtgox.  Mtgox's website is not security conscious. At no point in the registration process are the dangers of not using secondary authentication pointed out. Yes in the end it is the user's responsibility but it behooves me that they would not implement additional security protocols, the way for example the blockchain.info wallet does. Even a yubikey might not have protected me considering how compromised my system was from the trojan.

A very reasonable security feature would be to have an option for delayed withdrawal processing times, that once set cannot be changed for 24 hours. As a default of lets say 2 hours withdrawal delay I would have been able to notify mtgox to cancel the withdrawal in time. Or a simple withdrawal pin such like other bitcoin commerce sites use...

But all this is in hindsight. As for my case, analyzing my system showed that my browser and system security was misconfigured apparently due to a previous comprimising, and/or my software versions were vulnerable to an exploit which allowed the script to run unauthorized. Unfortunately there is not a fool proof scenerio to avoid malware (for a normal person, not some guru security expert).

This script, or executable installed a highly advanced trojan called dark comet which basically allowed the attacker to perform pretty much any imaginable task. How at that point the withdrawal was initiated so quickly is unknown, but it does seem the attacker had a couple minutes to act since a deeper investigation has shown the page was first opened a few minutes before the withdrawal took place. Most likely it was a combination of automatic and manual tasks which afforded the attacker access to the account. As for more advanced forms of attack, XSS or token theft, these were possibly implemented through the trojan, but it is more likely that the attacker was able to use password sniffing and info gathering techniques along with predefined scripts to yield very fast results. The payload itself was wrapped in an autoIT executable and is mostly undetectable by scanners.

Having spoken with so many programmers and IT security professionals, they have adviced that Mt.Gox is highly vulnerable to different forms of web application attacks and should pursue penetration testing services immediately. My understanding is that they didn't learn from the first time.
newbie
Activity: 56
Merit: 0
Dont trust ANYONE on BTC-E Bunch of scamming C***s
legendary
Activity: 1148
Merit: 1018
Seems like MtGox need to start using some form of email-verification before the transaction to other accounts/out of MtGox actually happens.

Huh
How about people stop being cheap and just buy a yubikey. Is $30 (or however much it costs) too expensive to protect your money? Email verification pales in comparison to having a physical hardware token. Come on people,  stop being cheap and just buy the thing!

Come on, you just need to do a couple of small trades and they will send you a yubikey for free

And Google Auth is free too
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
Seems like MtGox need to start using some form of email-verification before the transaction to other accounts/out of MtGox actually happens.

Huh
How about people stop being cheap and just buy a yubikey. Is $30 (or however much it costs) too expensive to protect your money? Email verification pales in comparison to having a physical hardware token. Come on people,  stop being cheap and just buy the thing!
legendary
Activity: 2128
Merit: 1002
Or A LOT of people is in deep shit.
Anyhow: 2 Factor Authentification is a must.
++11
full member
Activity: 224
Merit: 100
One bitcoin to rule them all!
Seems like MtGox need to start using some form of email-verification before the transaction to other accounts/out of MtGox actually happens.
jr. member
Activity: 47
Merit: 1
Here's some proof for you Poutine.

"I am moverstar and I am legit."
legendary
Activity: 1148
Merit: 1018
Every Mt. Gox 2f user knows Mt. Gox requires 2f again when a withdrawal is performed  Roll Eyes

Thanks, I'm not a Mt. Gox user and I didn't know.

Well, the whole point of 2fa is that you need a ONE TIME PASSWORD that changes every few seconds. You don't need to be a MtGox user to know that, because that's how OTP and 2FA works everywhere.
full member
Activity: 210
Merit: 100
Every Mt. Gox 2f user knows Mt. Gox requires 2f again when a withdrawal is performed  Roll Eyes

Thanks, I'm not a Mt. Gox user and I didn't know.
legendary
Activity: 1792
Merit: 1111
The exploit took advantage of the fact that he was already logged in, so even if he was using 2f how could this have helped unless Mt. Gox requires 2f again when you perform a withdrawal.

Every Mt. Gox 2f user knows Mt. Gox requires 2f again when a withdrawal is performed  Roll Eyes
full member
Activity: 210
Merit: 100
The exploit took advantage of the fact that he was already logged in, so even if he was using 2f how could this have helped unless Mt. Gox requires 2f again when you perform a withdrawal.
legendary
Activity: 1176
Merit: 1005
It was a link in the btc-e chat. It could as easily have been a link posted here.

What could limit the success of these attacks besides 2FA would be if mtgox would lock changes to withdraw address or account details for 24 hours and send an email of the activity.

I stand corrected.  The OP did state it was a link in btc-e chat, and I misremembered.
legendary
Activity: 1512
Merit: 1036
what could gox've done ?

They could have been a bit quicker deleting an obviously bogus and malicious link from their own chat.
It was a link in the btc-e chat. It could as easily have been a link posted here.

What could limit the success of these attacks besides 2FA would be if mtgox would lock changes to withdraw address or account details for 24 hours and send an email of the activity.
legendary
Activity: 1176
Merit: 1005
what could gox've done ?

They could have been a bit quicker deleting an obviously bogus and malicious link from their own chat.
legendary
Activity: 1358
Merit: 1002
You are not a noob. Obviously you know what 2-factor authorization is and you are lazy enough not to use it. How could you blame MtGox and even ask for any compensation?

Conceivably, an exploit like this could lie in wait until you use two-factor and then hijack your existing session to do whatever.  While the OP did, IMO, screw up, Gox has some responsibility to monitor their own computers.

what could gox've done ?

I don't know, maybe they could just block everyone who logs in to MtGox with correct credentials, that would show those hackers who's the boss Roll Eyes
hero member
Activity: 868
Merit: 1000
You are not a noob. Obviously you know what 2-factor authorization is and you are lazy enough not to use it. How could you blame MtGox and even ask for any compensation?

Conceivably, an exploit like this could lie in wait until you use two-factor and then hijack your existing session to do whatever.  While the OP did, IMO, screw up, Gox has some responsibility to monitor their own computers.

what could gox've done ?
Pages:
Jump to: