Security warning: trojan stealing coins, swapping C&P addresses - page 2.

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: Nefario on March 22, 2012, 01:28:02 PM

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

I mean that sucks but on the other hand I got to say awesome to the malware writer. Get the user to send coins to the wrong address. No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc. Just get the user to send you money.

Nefario

hero member

Activity: 602

Merit: 513

GLBSE Support [email protected]

Quote

any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now

From the user.

It's a new address each time.

I believe that visually verifying the address will protect against this.

The addresses so far:
17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd
14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ

Kaos

member

Activity: 64

Merit: 10

what's the dodgy bitcoin address? Is it static or does it change every time?!

RodeoX

legendary

Activity: 3066

Merit: 1147

The revolution will be monetized!

So am I correct in assuming that a countermeasure could be verifying the address before sending? Or does it make the change in a way that is not visible to the user?

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

Quote from: Nefario on March 22, 2012, 01:28:02 PM

I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.

The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker.

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

Nefairo

Figures, Linux is not nearly exploitable.

Nefario

hero member

Activity: 602

Merit: 513

GLBSE Support [email protected]

I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.

The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker.

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

Nefairo

Topic: Security warning: trojan stealing coins, swapping C&P addresses - page 2. (Read 3258 times)