Pages:
Author

Topic: Someone hacked into our Blockchain.com wallet (Read 682 times)

sr. member
Activity: 1878
Merit: 389
November 30, 2018, 10:25:40 AM
#24
URGENT

Looks like he stole another $2k from us:

https://www.blockchain.com/btc/tx/0358082dda05367d4a1dba52d6bd0b64a8067dccbcf233684488b7fab58fa868

We did set up 2FA with the account, is it because of the 12 words (the key) that he was able to gain access? We got no email and no notification when these funds were stolen.

Someone else is going to be in charge of the funds from now on with a different PC and in a different country.


The issue is urgent and we need help, so we started a new topic:
https://bitcointalksearch.org/topic/urgent-a-2nd-hack-into-our-blockchain-wallet-5078190

This one will be locked.
legendary
Activity: 1624
Merit: 2481
Thanks for the info about this.
How certain are you regarding this information? (say on a scale of 1 to 10).



Putting answers on a scale is quite hard.

Let me rephrase it:

1) There is no known chrome vulnerability currently (IF you are on the latest version) to break out of the sandbox.
This means that there is no way for an attacker to access your filesystem or your saved passwords.

The very tiny chance that he used a 0-day-exploit exists, but is negligibly small (especially considering that this is a 'simple add-on scam').

This means that:
  • Your saved passwords should be safe
  • Any keepass database or any other files on your harddrive should be safe
  • Your machine should be clean

Definitely tell your admin to check which browser version he has used. If it was not the latest, we have to dig further to find out if there are vulnerabilities which would allow to break out of the sandbox.



2) Depending on the permissions your administrator gave to the extension (assuming all have been granted):
  • Chances are VERY high that each password entered into the browser while the addon was active has been compromised
  • Chances are VERY high that ANY information entered into the browser while installed has been compromised


I hope this is enough information for you. Rating it on a scale between 1 and 10 wouldn't be close to professional.





Left to me, i will say 7 out of 10.  Always use a local password manager like KeePass

What ?

1) I don't think he has asked you.
2) I made 6 different statements. How can you simply say "7 out of 10" Huh
3) It is not about password manager. Even using a password manager would have caused the theft of the funds. Please read the whole thread.
legendary
Activity: 3808
Merit: 7912
Someone posted here a scam (Crypton-Exchange.net), one of our admins was naive to try it, and the site told him to install an addon in order to withdraw the funds, naively he installed it and now we realized someone withdrew $2,300 from our Blockchain.com account (money that we intended to use to pay publishers, sadly is gone now).

The money was sent to 16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S
https://www.blockchain.com/btc/tx/0fe187e55c07772d47d1c588c80195f5977aa139d814feb39bdab968253c8f60

The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org

Few questions:

1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?
2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.
3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?





 2) It's a moot point.  You've terminated his employment with you and changed your Blockchain.com wallet for a new one, right?!
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
@get-paid, another user sent me the source code. I’ll take a look through it tonight and see if there’s anything that looks particularly tragic on it, although I’m going to say it’s probably a 5-7 score on your computer being fullly safe after uninstalling the plugin.
sr. member
Activity: 1878
Merit: 389
I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...

If there is no chrome vulnerability which allows an extension to break out of the isolated environment (which i doubt currently), your local machine is not compromised.
Even if there were such a vulnerability, i heavily doubt that these developers would be able to exploit it.

Your saved passwords SHOULD be safe (again, if there is no vulnerability OR the developer aren't intelligent enough to make use of a potential vulnerability).

Your keepass database (local KeePass, not browser extension LastPass) is safe.
Your desktop wallets are safe too.

If the add-on had full access to each site you visit (which it probably had), all passwords which you have entered while it was installed can be (and most probably are) compromised.
Each data entered into the browser while it was installed can be compromised.


But the most important thing is, your local machine is safe.

Thanks for the info about this.
How certain are you regarding this information? (say on a scale of 1 to 10).
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.
That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

Not that easy because you have to confirm the address in ledger nano led visor
legendary
Activity: 1624
Merit: 2481
3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.
That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

Sure, that's perfectly possible.

However, this would require one to create a malicous version of ledger live (or electrum) for this specific purpose.

And that's where the 2FA (confirming the TX on the ledger screen by physically pressing a button) comes into play.
If you confirm the amount + address, you're fine.



And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

Generating a 'similar looking address' is not as easy as you might thing.

Vanity gens need multiple hour/days/weeks to generate an address with 6 or 7 chosen chars.

So, if you want to generate a 'similar looking' address at runtime, you'll get 1 or 2 chars identical. The rest will be different.

That's the beauty of a big 'key space'.
full member
Activity: 378
Merit: 197
3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.
That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
Nothing to do with them. They do not have your wallet keyss....

Oh of course, you’re the guy who said to the other user to back up their wallet addresses Grin.

You seem a bit oddly too in the know of how the software works (or your interpretation of it, they probably do have the keys) so would you care to enlighten us as to how you yourself have been enlightened?
legendary
Activity: 1624
Merit: 2481
I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...

If there is no chrome vulnerability which allows an extension to break out of the isolated environment (which i doubt currently), your local machine is not compromised.
Even if there were such a vulnerability, i heavily doubt that these developers would be able to exploit it.

Your saved passwords SHOULD be safe (again, if there is no vulnerability OR the developer aren't intelligent enough to make use of a potential vulnerability).

Your keepass database (local KeePass, not browser extension LastPass) is safe.
Your desktop wallets are safe too.

If the add-on had full access to each site you visit (which it probably had), all passwords which you have entered while it was installed can be (and most probably are) compromised.
Each data entered into the browser while it was installed can be compromised.


But the most important thing is, your local machine is safe.
legendary
Activity: 3612
Merit: 5297
https://merel.mobi => buy facemasks with BTC/LTC
I had the same plugin pushed to me from the owner of cryptrave.com. Usually i wouldn't fall for this trick, but i actually lost a family member on monday, and i was just browsing bitcointalk aimlessly without paying attention after the news actually hit me... I actually felt like playing with a no-deposit bonus would distract me a little bit, and i actually fell for the scammer's trick. Luckily I had the reflex not logging in to any funded wallet while the plugin was installed, so so far i wasn't robbed.

I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...
I have downloaded the plugin's sourcecode, but at the moment i don't have the energy to truely vet it... On a quick browse, i actually found the array where the hacker defined his wallet addresses for the different (alt)coins he's trying to steal:
t = [];
t.BTC = "16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S", t.ETH = "0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca", t.ETC = "0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5", t.BCH = "1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3", t.LTC = "LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP";

https://bitcointalksearch.org/topic/potential-scam-cryptravecom-5076352
legendary
Activity: 1624
Merit: 2481
Thanks for trying to help, this info was given above in the first post:


Thanks for pointing out. I somehow missed the URL  Roll Eyes

I have filed a report regarding this browser extension.



It could only somehow Access your wallet that was already logged in in the same browser.... :/

Not only somehow, but most probably simply trough stealing cookies from the browser.

Stealing cookies is quite an easy approach to gather access to an account, logged in from the browser.

You can regard cookies as an identifier. Anyone who has this explicit cookie (which is assigned to user X in the database of website Y), has access to he account.



[...] we wish the thief that karma would hit him back for what he did, those bad people who like to steal money from others should be punished. Karma will take care of it.

Well.. to be honestly.. you basically asked for it. Installing shady add-on's with 1 rating AND using a web wallet is crying to get funds stolen.

While i do not support the behavior of stealing funds, this is one of the lowest-effort-steals i have come across on this forum.
The only one to blame, definitely is your 'admin'.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
You may consider using proper stand alone/installed wallet on your computer. It should be safer than websites - at least this problem would have been avoided.
Also if you plan to proceed with bigger funds, a hardware wallet (or cold storage) would be the next step.
sr. member
Activity: 1878
Merit: 389
this the reason why 2FA can be useful in a way. 
i would suggest to reinstall the OS, wipe out everything just to make sure its safe to use the computer again. some hackers leave a bug that will connect to repositories and install a program in the background and then again collect data from you.

We have done all this, 2FA is now activated.
We lost 0.52 BTC (around $2,300) - it was intended to pay publishers, we wish the thief that karma would hit him back for what he did, those bad people who like to steal money from others should be punished. Karma will take care of it.

legendary
Activity: 3234
Merit: 1055
this the reason why 2FA can be useful in a way. 
i would suggest to reinstall the OS, wipe out everything just to make sure its safe to use the computer again. some hackers leave a bug that will connect to repositories and install a program in the background and then again collect data from you.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
November 28, 2018, 08:44:46 PM
#9

Were you logged on blockchain.com wallet when you installed the add-on?

Yes.


Did you do all the security steps in blockchain.com wallet? Did you use 2fa, for example?


Did not use 2FA.

I believe the add-on didn't have any access to your passwords then. It could only somehow Access your wallet that was already logged in in the same browser.... :/
hero member
Activity: 672
Merit: 508
November 28, 2018, 07:17:17 PM
#8
Someone posted here a scam (Crypton-Exchange.net), one of our admins was naive to try it, and the site told him to install an addon in order to withdraw the funds, naively he installed it and now we realized someone withdrew $2,300 from our Blockchain.com account (money that we intended to use to pay publishers, sadly is gone now).

The money was sent to 16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S
https://www.blockchain.com/btc/tx/0fe187e55c07772d47d1c588c80195f5977aa139d814feb39bdab968253c8f60

The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org

Few questions:

1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?
2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.
3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?



I mostly fall to them on their first try, gladly I am not that fool to install the said ad-on.

1. before you install the said ad-on, it will ask for the user permission to be able to edit and read the datas on most used crypto websites and email providers
2. Not sure about this one but a reformat is better
copper member
Activity: 80
Merit: 1
November 28, 2018, 06:39:01 PM
#7
Installing random chrome plugins is like opening random .exe files, very dangerous. I just use Opera and the only addon I use is uBlock Origin. I rather stay safe then sorry.
sr. member
Activity: 1878
Merit: 389
November 28, 2018, 05:34:56 PM
#6
Might give us information about the addon, so that we can report it to google ?

Thanks for trying to help, this info was given above in the first post:

legendary
Activity: 1624
Merit: 2481
November 28, 2018, 05:17:32 PM
#5
1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?

If your 'admin' was logged into the account AND the addon has rights to 'view all sites and interact with them' (has to be accepted when installed), then the addon can do whatever it wants to.

Blockchain.com is a web wallet. Each other type of wallet is more secure than a web wallet.

However, this shouldn't happen. A malicious addon can indeed steal your funds this way.



2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.

He probably(!) doesn't need to format his laptop. Changing all passwords wouldn't hurt (at least those saved in chrome AND from sites visited while the addon was installed).



3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?

Malicious addons have been used since years to steal secret information (passwords).

Might give us information about the addon, so that we can report it to google ?
Pages:
Jump to: