Grazie alla vostra tenacia altre cose mi vengono in mente.
La più importante é che settimane fa sono stato vittima anch'io del famigerato "StealthBit".
Un app "open source" su github che permetteva di testare gli "Stealth Address" (un possibile futuro per la privacy nell'utilizzo dei pagamenti).
Nella realtà accanto ai sorgenti (probabilmente innocui) lo sviluppatore (poi sparito) metteva a disposizione la "la comoda" versione binaria che io ho prontamente installato (proprio su questo mac dal quale vi scrivo).
Come potete leggere in inglese qui sotto l'applicazione fa quello che deve fare ma ha anche una componente che installa estensioni per i browser che trasmettono le vostre credenziali di login ed era stato disegnato (sembra) particolarmente per BTC-E e Mt.Gox (a questo punto direi che probabilmente con Bitstamp non se la cavava maluccio).
La ragione per cui me ne ero quasi scordato é che la notizia era uscita quasi subito come la cura da applicare (
http://www.securemac.com/Remove-CoinThief-Trojan-Horse-Instructions.php) ma é evidente che questo é stato l'errore più grosso che ho commesso e
la cura é stata insufficiente (o tardiva).
Grazie a Trigun ho ripensato al MAC.
La cosa che rimane inspiegabile é che sono partito da casa alle 14:00 e l'attacco é avvenuto verso le 21:00 (bitstamp é indietro di un'ora rispetto all'Italia) Quindi se anche lo username e la password ce l'avevano da cosa cazzo hanno intercettato il codice di sei cifre???
Riporto sotto l'interssante articolo che avrei dovuto leggere molto meglio.
Tratto da:
http://www.securemac.com/CoinThief-BitCoin-Trojan-Horse-MacOSX.phpSecureMac has discovered a new Trojan Horse called OSX/CoinThief.A, which targets Mac OS X and spies on web traffic to steal Bitcoins. This malware has been found in the wild, and there are multiple user reports of stolen Bitcoins. The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for Bitcoin wallets.
Initial infection occurs when a user installs and runs an app called "StealthBit," which was recently available for download on GitHub, a website that acts as a repository for open source code. The source code to StealthBit was originally posted on GitHub, along with a precompiled copy of the app for download. The precompiled version of StealthBit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of StealthBit instead ended up with infected systems. A user posting over the weekend on Reddit, the popular discussion site, reported losing 20 Bitcoins (currently worth upwards of $12,000 USD) to the thieves.
Disguised as an app to send and receive payments on Bitcoin Stealth Addresses, OSX/CoinThief.A instead acts as a dropper and installs browser extensions that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites, including MtGox and BTC-e, as well as Bitcoin wallet sites like blockchain.info. When login credentials are identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors.
Upon running the program for the first time, the malware installs browser extensions for Safari and the Google Chrome web browser, without alerting the user. The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions. Additionally, the malware installs a program that continually runs in the background, looking for Bitcoin wallet login credentials, which are then sent back to a remote server. OSX/CoinThief.A can both send information to as well as receive commands from a remote server, including a functionality to update itself to newer versions from the malware author.
Information sent back to the server isn't limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system.
Some steps were taken by the malware author to disguise the inner workings of OSX/CoinThief.A from casual analysis. The browser extensions were given the generic name of "Pop-Up Blocker" and show a similarly generic description of "Blocks pop-up windows and other annoyances." The malware additionally checks to see if various security programs or code development tools are present on an infected system, which is sometimes done in an attempt to block security researchers from analyzing a piece of malware.