Pages:
Author

Topic: How I got robbed of 34 btc on Mt.Gox today - page 2. (Read 124869 times)

legendary
Activity: 1176
Merit: 1005
You are not a noob. Obviously you know what 2-factor authorization is and you are lazy enough not to use it. How could you blame MtGox and even ask for any compensation?

Conceivably, an exploit like this could lie in wait until you use two-factor and then hijack your existing session to do whatever.  While the OP did, IMO, screw up, Gox has some responsibility to monitor their own computers.
legendary
Activity: 1792
Merit: 1111
hero member
Activity: 756
Merit: 522
hero member
Activity: 1778
Merit: 764
www.V.systems
When I grow up I wanna be a haccker JUST like these guys, and I wanna rip off guys like you just CLICK and FORGET!

In spite of being a techie how the hell could you be so irresponsible ! EVEN 34 BTC at a time like this can cause some damage... No wonder the SLL/BTC prices plummeted today !
hero member
Activity: 868
Merit: 1000

Yes, it's more secure with 2 factor auth, but my personal experience has been more hassle than it's worth [...]

I believe I have the client side secured more than enough.

So at 10:06pm ET on April 10th 2013 I was on btc-e reading the chat box. Then and there someone posted a link to www mtgox-chat info [...]

I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.

[...]

Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.

------------------------------------------------------------
Dear bitbull,
 
There has been a withdrawal from your Mt.Gox account:
 
[...]


Just take it as a lessson learned, and don't get defensive. You screwed up, and paid for it. I'm sorry about your losses.
newbie
Activity: 52
Merit: 0
Are there any utilities that can continuously record the screen of my computer, so that I can go back in history and observe exactly what I saw in the past?
I use Debut Video capture. It will record a sizeable rectangle of screen to .avi or other video format.
legendary
Activity: 2058
Merit: 1005
this space intentionally left blank
three words:

YU BI KEY
newbie
Activity: 52
Merit: 0
"In order to see Chatbox or to communicate with us. Please Update java at the top of the page.

- If the Download did not worked, Click Here"

Is this verbatim? The "If the Download did not worked" maybe should have set off alarm bells...
Horrible story though, really sad for the guy.

I'm thinking of doing a Ubuntu boot purely to run a browser in for trading. People are right to warn about Windows, - it's much harder to defend against malware...
newbie
Activity: 56
Merit: 0
guys they did it again !
but gox hushed the pw right with salt so strong pw are safe but if you typed in flipper or some shit
change it now!
legendary
Activity: 2506
Merit: 1010
They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this.

Incidentally, they do have a method that is secure against this ... Yubikey, and Google Authenticator.

Happens a lot:

MtGox account got cleared out
 - https://bitcointalksearch.org/topic/mtgox-account-got-cleared-out-85533

All BTC disappeared from my Mt. Gox account
 - https://bitcointalksearch.org/topic/all-btc-disappeared-from-my-mt-gox-account-88368

Another:
 - https://bitcointalksearch.org/topic/m.941759

And another: My mtgox account got compromised, what can I do?
 - https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
 - https://bitcointalksearch.org/topic/mtgox-account-hacked-lost-2k-usd-mtgox-will-not-explain-how-89142

And more again: Bitcoins stolen from MtGox
 - http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
 - https://bitcointalksearch.org/topic/stolen-from-mtgox-coins-help-return-the-coins-119816

Or more here: Email from Mt.Gox this morning.
 - http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
 - https://bitcointalksearch.org/topic/bitcoinica-mtgox-account-compromised-93074

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
 - https://bitcointalksearch.org/topic/unauthorized-account-activity-on-my-mtgox-account-account-compromisedhacked-94140

And even more: *MY* Mt Gox Account was Hacked - lost it all today... now what!?
 - https://bitcointalksearch.org/topic/my-mt-gox-account-was-hacked-lost-it-all-today-now-what-137795

Ditto: My MtGox account was just exploited - 3 BTC stolen
 - https://bitcointalksearch.org/topic/my-mtgox-account-was-just-exploited-3-btc-stolen-old-news-141816

Ditto on the ditto: Just lost 190 bitcoins through Mt. Gox
 - https://bitcointalksearch.org/topic/just-lost-190-bitcoins-through-mt-gox-141831

And other ones get added to the list: Unauthorized withdrawal on Mt. Gox
 - https://bitcointalksearch.org/topic/unauthorized-withdrawal-on-mt-gox-147070

And now this: How I got robbed of 34 btc on Mt.Gox today
 - https://bitcointalksearch.org/topic/how-i-got-robbed-of-34-btc-on-mtgox-today-173227

And another recent one: My funds and BTC have just disappeared from my Gox account!
 - https://bitcointalksearch.org/topic/my-funds-and-btc-have-just-disappeared-from-my-gox-account-174556

And on other services as well. Here same thing happened to some GLBSE users:
 - https://bitcointalksearch.org/topic/i-suspect-gpumax-was-compromised-and-passwords-stolen-84893

And elsewhere, BitMarket.eu in this instance:
 - https://bitcointalksearch.org/topic/m.1259168

And on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
 - https://bitcointalksearch.org/topic/bitcoins-stolen-from-bitcoinde-130264


In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
 - http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Also, here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - https://bitcointalksearch.org/topic/how-to-use-2-factor-auth-on-mtgox-even-without-a-smartphone-111943
legendary
Activity: 1795
Merit: 1208
This is not OK.
It's not all bad, You made the BBC news, bitbully!

http://www.bbc.co.uk/news/technology-22120833

Oh, wait... :/
newbie
Activity: 47
Merit: 0
Are there any utilities that can continuously record the screen of my computer, so that I can go back in history and observe exactly what I saw in the past?
Safest bet is a camera. Or if you trust the malware not to quit the screen recording program, and I don't think it will, use a screen recorder like Fraps or Hypercam or one of the thousand others.
legendary
Activity: 1148
Merit: 1018
Is it possible for this exploit, or a similar one, to work on Mac OS X?

Yes.
member
Activity: 107
Merit: 10
Are there any utilities that can continuously record the screen of my computer, so that I can go back in history and observe exactly what I saw in the past?
jr. member
Activity: 47
Merit: 1
Hey Frott,

You bring up a lot of good points. I'm not a expert with the terminology. The 0-day exploit was referenced in a post from 3 days prior:

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

and was suggested as a possibility of how the script was able to run automatically. Others have said my security settings were misconfigured.

I know the trojans detected by malwarebytes were from that site because AdobeUpdate-Setup.1.84.exe is the downloaded file from that site. It was definitely from that website and the file dates/times match.

I was able to grab most of the site but some files are missing so if anyone has a full rip please PM me. I have forwarded it to security researchers and they are reverse engineering it as we speak. So far we know that it was a "Dark Comet" keylogger, but thats only part of what I was able to grab, so until I get a hold of the rest of the site I won't know everything that was implemented.

I'm not claiming to know exactly how it worked, but what I do know is that it was fast, unexpected and painful. In the end I'm just happy that people are becoming aware of how easy it is to lose all your mtgox btc in the blink of an eye, and yes taking extra security precautions is a must and let this be a lesson to me and all others (Seems I'll be paying the tab this time...).
member
Activity: 107
Merit: 10
Is it possible for this exploit, or a similar one, to work on Mac OS X?
jr. member
Activity: 47
Merit: 1
Thanks for the support everyone.

Just to reiterate, a java applet was never run, clicked on, or allowed to execute by me. I'm reading there was more than one attack vector in the page. There was a java initiated executable payload, which contained at the very least a keylogger - yet within seconds of clicking on the link the withdrawal was already initiated, leaving no time for the attacker to sniff my passwords and manually perform a withdrawal. The password was also changed after the withdrawal. Additionally there could have been a session token theft, or some form of XSS.

My understanding from two different IT security consultants is that mtgox's website security is sub-par. Instead of everyone trying to blame me or mtgox, perhaps the discussion should be about how we can stop this from happening in the future. I'm trying to make a point that however this trojan was crafted, it is very good at instantaneously emptying out your account. Someone could repackage it tomorrow and this whole story will repeat itself. No antivirus detects it, and it works directly with mtgox's site. I don't understand how some of you feel like this shouldn't be of concern to mtgox.

I'll be waiting for a response from mtgox, and will update if and when I receive a response. I do recognize however there is an uncomfortable situation over there right now, with bitcoin price going crazy, potential ddos attacks, thousands of new users in queue, under-staffing and system overloads. I mean their website isn't even loading right now and their pricing api isn't working...

Makes me real hopeful to see colored bitcoins and atomic swaps come to life.

I appreciate all those who are helping me both publicly and privately.
legendary
Activity: 1176
Merit: 1005
I tend to live somewhat "dangerously" as well, but to allow Java to run, unbidden, from any web browser is foolhardy in the extreme.  I now no longer allow Java to run at all, except when I issue it from a shell command line (not as root) and with known software from a known source, just like allowing any other application to run.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
Not having 2 Factor Auth when dealing with MONEY is FAIL.

You have very long random passwords? There's many other ways to compromise a system, both server or client side. Only truly secure way is 2FA

You use Deep Freeze? Not secure at all. Did you read the OP? Deep Freeze will do nothing to protect you from certain attack vectors.

Yes, it's more secure with 2 factor auth, but my personal experience has been more hassle than it's worth, and I regularly deal with thousands of dollars worth on other sites. However, it's the fault of the bank or site that does not offer 2 factor auth. It just so happens that I have no choice to deal with certain banks (in my country), and they don't offer 2 factor auth.

So what I do, when I have to access those sites, I restart my computer so anything that was there from random browsing is gone. Then I go only to those sites to do what I have to do. I believe I have the client side secured more than enough. I also believe the server side isn't as secure as I prefer it to be, but I can't do anything about that until they upgrade their systems.

Deep Freeze (and other similar stuff like sandboxie, return nil, etc) isn't meant to protect you from your own user initiated mistakes like clicking on links or running programs. I have it primarily to fix my system to my last known good working configuration every time. Updates to software like Firefox and OS are done manually, and usually after doing a reboot first.

I actually live relatively "dangerously" online. But I take responsibility for what I do. When I have to deal with someone else's money, I just have to be more vigilant about securing what I'm working on.
Pages:
Jump to: