Topic: How I got robbed of 34 btc on Mt.Gox today - page 3. (Read 124869 times)

Thanks for the input guys. I know that my software choices in life may have made me more vulnerable to such attacks. But all the technical details aside, it's CLEAR that this site is built and targeted methodically at mtgox users, and that these perps are doing their best to attack mtgox users however they can. Whether that means through phishing scams, xss, keyloggers, java exploits, human social engineering, etc... mtgox should take a proactive role in curving these attempts.

The reason I chose mtgox is because they are the biggest and most well known. My assumption is that I would be insured against such common hacking tactics.

They are holding massive amounts of wealth and just like banks, forex companies, and paypal, mtgox should bare a certain degree of responsibility for hacked accounts. I don't think we can expect the masses to adopt bitcoins if they need to have a degree in IT security just to protect their funds, none the less in a hosted soft wallet environment.

Very sorry about your loss. However: there is nothing else that MtGox could have done to secure against such rudimentary attacks.

You got owned by a Java exploit which can apparently execute arbitrary code on your computer. So it can log in as you on mtgox.com and do everything that you can do yourself. Even if you had no active session on MtGox, and were using the Yubikey to authenticate, the malware would still have been able to steal your coins: it could have stayed in the background, waiting for a browser session to mtgox.com to be active before hijacking it to perform the transfer. Maybe it could even have installed a persistent malware on your PC that would start running at boot time and wait for you to log in, one day, with a Yubikey, before stealing the coins.

I also saw this link posted multiple times in BTC-E chat. After people pointed out the person was posting a virus, the moderator bans him for 1 HOUR.

Internet explorer?

Use firefox with noscript, would have probably prevented xss.  As for the 0day javascript exploit, no script will save your bacon their two, only allow scripts you can identify and trust.

That keylogger it ran, was it actually installed to the system or was it just running in the browser?  Boy thats win 8 for ya.

change ur email and banking passwords. after you've done a clear install.

consider linux or os x

Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...

This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!

Any advice is very much appreciated.

I use Windows XP and Firefox. I don't get virus'd often, or very rarely, and usually is because I intentionally run something I'm not supposed to. Although two factor authentication is nice, I find that I personally don't need it, since I never access any important sites insecurely, and all have good long unguessable passwords.

their site is not secured against such rudimentary attacks

Thx doobadoo for the advice.

Moved to a clean system until I wipe infected one, all passwords reset, was using chrome and win7 and you don't have to tell me I know the risks of using Microsoft. I'm on top of my security, always have been but this trojan was well crafted, I mean when the incentive is there you'll have the entire online underground mafia programming these things. These guys must be making a killing. I think the payload was both a browser java instance and custom keylogger executable. But I'm not an expert all I know is the second I clicked on that site my bitcoins were withdrawn near instantaneously, and I had mtgox.com open and logged in on another tab.

Crossing my fingers mtgox will help.

What part is the fail? or everything I guess? To others and to you maybe.

I also use Deep Freeze. Turns my whole computer into it's own sandboxed VM, so any malware disappears on reboot.