[WARNING] Attack on freebitco.in account

blackmtl308

newbie

Activity: 130

Merit: 0

Quote from: [email protected] on May 06, 2024, 04:39:05 PM

ID 51895659 so you are the one bump me from the first place all the time!

Anyway it seeems FBC is waking up, first Thequin has recently logged in, the script is of the page and the number 10 lambo winner has been announced even the outcome was already as expected.

Anyhow since the script was loaded from his website FBC is responsible, even you have injoyed our 12,5 BTC for your riant holiday.

So et me know when you are going to send me the 2000€ and 19300€ back.

I don't think so, I only appeared sporadically in the top 10. I never got to 1st. position.

[email protected]

brand new

Activity: 0

Merit: 0

ID 51895659 so you are the one bump me from the first place all the time!

Anyway it seeems FBC is waking up, first Thequin has recently logged in, the script is of the page and the number 10 lambo winner has been announced even the outcome was already as expected.

Anyhow since the script was loaded from his website FBC is responsible, even you have injoyed our 12,5 BTC for your riant holiday.

So et me know when you are going to send me the 2000€ and 19300€ back.

blackmtl308

newbie

Activity: 130

Merit: 0

I keep sending emails to support, to TheQuin, and waiting for someone responsible for Freebico.in to answer me something, TheQuin, Support, or whoever.

I won't stop until my stolen money is returned.

My Freebitco.in ID: 51895659

Zibi321

newbie

Activity: 22

Merit: 1

So it looks like the second wave of attacks has been completed.
Attackers github profile has been deleted and malicious script removed from cdn site.
I believe that again it was done by the attackers to cover their tracks.
No evidence, so nothing to prove.

It's only matter of time when they strike again and whole history will come full circle.
As long as the vulnerability is not patched the attacker can exploit it whenever he wants.
Of course, he should not exaggerate so not to draw too much attention.
Small group of high rollers will be attacked again, they will report an issue, but no one will believe it. They will be accused of spreading fud/trolling etc, because other accounts will be working as usual.
Even after so many reports there are still users who are deeply convinced that issue is on clients side, that our machines got compromised/got malware...etc
It just show how this method is effective.

blackmtl308

newbie

Activity: 130

Merit: 0

I see that script is gone, and now my actual deposit address appears.

Unfortunately, the withdrawal of my entire balance had already been made and it went to an unknown address.
Thinking it was safer, I had previously activated 2FA, so I did not receive the confirmation email, the withdrawal was made direct.
I lost a lot of money.

I sent a PM to TheQuin, to try to get him to respond to me something, if he can take action on this, to maintain the reputation of the site.

Drazen2003

brand new

Activity: 0

Merit: 0

Update 11.50 am CET.

Thanks again @Zibi321 for starting the post and for sharing with us your technical knowledge in this topic.

Good and bad news.

I finally see my correct deposit address again and there is not evidences about the scripts.

SELECT A TAG TO VIEW ITS STATS

We are making noise and seems that hackers are reading us because the scripts are out but i don't know if Freebitco.in has made something to resolve the issue or the hackers have removed the scripts to calm us down and can attack whenever they want again.

No one from freebitco.in has contacted me or responded to any of the emails sent.

My trust in Freebitcoin = 0%

codergeek

jr. member

Activity: 89

Merit: 2

Quote from: Zibi321 on May 04, 2024, 06:51:43 PM

Of course I could be wrong, but from my point of view attackers are able to put link into particular place on fbc website.
And it's exactly:
FBC -> "REFER" tab -> "ADVANCED TRACKING USING TAGS" button -> "SELECT A TAG TO VIEW ITS STATS" and link is hidden in drop down list.
It was not visible from GUI, but it was somehow placed into html code.

Link leads to malicious script which is executed during website loading.
And because of it website content can be modified.

Not affected accounts don't have any links placed/injected into their session in that location.

I clicked the advanced tracking using tags button just days prior to the wagering contest results.

blackmtl308

newbie

Activity: 130

Merit: 0

Zibi321,

I see the same shit on my side:
https://imgur.com/a/9buptq0

Zibi321

newbie

Activity: 22

Merit: 1

Quote from: [email protected] on May 04, 2024, 04:49:12 PM

except that i sended 2000€ to an address that has been changed my account has been drained aswell

Thats another 19300€ worth of bitcoin.

The reason I started a topic Bitcoin is hacked and they are well aware of it.
You can not tell me that after so many people mailed them or contacted them in other ways they are not informed.
second its inpossible to change the sourcecode of a website, to change the intro page you must have access to the server and since the server is protected by cloudflare it is not that easy. therefor there is no such a thing of an injection of a wrong script, its already loaded as soon as you go to the site.

blocking the javascript results in not be able to log in nor to get the accountaddress back.

I have a ugly feeing that we all got scammed by a website and address held on the virgin islands, and that those 2 boys scouts are nicely vanished with our money.

Of course I could be wrong, but from my point of view attackers are able to put link into particular place on fbc website.
And it's exactly:
FBC -> "REFER" tab -> "ADVANCED TRACKING USING TAGS" button -> "SELECT A TAG TO VIEW ITS STATS" and link is hidden in drop down list.
It was not visible from GUI, but it was somehow placed into html code.

Link leads to malicious script which is executed during website loading.
And because of it website content can be modified.

Not affected accounts don't have any links placed/injected into their session in that location.
Affected user i.e @Drazen2003:

SELECT A TAG TO VIEW ITS STATS

Not affected user:

SELECT A TAG TO VIEW ITS STATS

[email protected]

brand new

Activity: 0

Merit: 0

except that i sended 2000€ to an address that has been changed my account has been drained aswell

Thats another 19300€ worth of bitcoin.

The reason I started a topic Bitcoin is hacked and they are well aware of it.
You can not tell me that after so many people mailed them or contacted them in other ways they are not informed.
second its inpossible to change the sourcecode of a website, to change the intro page you must have access to the server and since the server is protected by cloudflare it is not that easy. therefor there is no such a thing of an injection of a wrong script, its already loaded as soon as you go to the site.

blocking the javascript results in not be able to log in nor to get the accountaddress back.

I have a ugly feeing that we all got scammed by a website and address held on the virgin islands, and that those 2 boys scouts are nicely vanished with our money.

Zibi321

newbie

Activity: 22

Merit: 1

Yes, but in my case it was different.
Please read the point 1. from my first post in this topic.
My deposit address also has changed but after about 2 weeks backed to normal.

I believe that this whole attack campaign started in second half of March.
At that time was reading first posts about change in deposit addresses.
My account was attacked in the first wave, but now when I read about new victims(second wave?) it looks like attackers much improve themself.
Hijacking sessions, making unauthorized withdrawals and bypassing 2FA - it looks very serious.

Edit:
According to information shared from user @Drazen2003
There is completely new link injected into his session.
New link leads to new malicious script:
https://cdn.jsdelivr.net/gh/feleryunfbc/js/jquery.min.js

I did some investigation and it looks like about 23th April started the second wave of attacks.
That day attacker created his account on github and placed there new malicious script.
After that he published it on cdn site.
Attacker profiles:
https://github.com/feleryunfbc
https://www.jsdelivr.com/package/gh/feleryunfbc/js?tab=files

Drazen2003

brand new

Activity: 0

Merit: 0

Quote from: Zibi321 on May 04, 2024, 06:27:12 AM

No, nothing.
Yesterday the link was still there.
When claiming free rolls/WoFs I was always checking if it's still there.
I guess things are slowly getting sorted.
Pity, that there is absolutely no communication from fbc to community.

Thanks a lot @Zibi321. I hope so because, of course, i cannot use the page because i have the script and the Deposit Address is not the mine one (I tried to change it but the main still is the fake one where my funds where sent).

In your case, if you let me the question, your deposit address was changed too? Now, without the script... is the old one for you?

Zibi321

newbie

Activity: 22

Merit: 1

No, nothing.
Yesterday the link was still there.
When claiming free rolls/WoFs I was always checking if it's still there.
I guess things are slowly getting sorted.
Pity, that there is absolutely no communication from fbc to community.

Drazen2003

brand new

Activity: 0

Merit: 0

Quote from: Zibi321 on May 04, 2024, 05:56:06 AM

Link to malicious script disappeared today from my user session.
It is no longer visible in website's html code.

Today:
https://www.talkimg.com/images/2024/05/04/rjZrI.png

Before:
https://www.talkimg.com/images/2024/04/09/j2Gi8.png

Congrats!!

The mine one is still alive and the deposit address is still false after at least 48 hours. Tested in 2 different PCs, 3 different navigators and 1 mobile phone.

Have you done anything to recover the normallity?

Zibi321

newbie

Activity: 22

Merit: 1

Link to malicious script disappeared today from my user session.
It is no longer visible in website's html code.

Today:
https://www.talkimg.com/images/2024/05/04/rjZrI.png

Before:
https://www.talkimg.com/images/2024/04/09/j2Gi8.png

Drazen2003

brand new

Activity: 0

Merit: 0

Quote from: Zibi321 on May 02, 2024, 06:17:45 PM

Quote from: khaled0111 on May 02, 2024, 05:16:48 PM

Quote from: Zibi321 on May 02, 2024, 02:24:37 PM

I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.

I believe the vulnerability can't be exploited without a valid user ID and the attackers are definitely getting those IDs from the jackpot leader board. This explains why only a limited number of users were affected by this attack.
If freebitco.in team are aware of this ND didn't take any action, that's bad. If they aren't, that's even worse!

Quote from: Zibi321 on May 02, 2024, 03:09:28 PM

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.

The difference between your case and his is that he made a deposit while you didn't. Since you didn't make a deposit, the attacker probably decided to change his tactic by making you believe your account got banned.

Sure, but by "valid ID" they just need any ID of active user with some balance.
On fbc platform user ID is just an ordinal number defining when user registered himself.
So it can be any number from 1 to number_of_all_users (i.e the famous site creator - wetsuit has ID=4 - according to his referral link)
I think attackers can hijack any user session, but by doing it they would attract too much attention.
Lots of accounts are deleted, abandoned, inactive or with too low balance to do anything.
So for these obvious reasons there is no point to attack them all.
Attackers chose only small group of active accounts and that works.

I created account here to share info about it and warn you.
From the very beginning, because of newbie rank I was accused of being troll, spreading fud etc. - that was never my intention.
I'm aware that vast majority of fbc accounts are clean and not affected - sure, but for how long...
Just be careful guys.

First of all, thanks @Zibi321 for opening the case.

It's a pity that freebitcoin does not respond because I still have my account hacked, with the script visible and active (after more than 24 hours) that, although if I block it with noads, shows me an incorrect deposit account in the deposit window. I would leave full control to Freebitco.in if I can help but I don't even have a response to the problem in my email.

I would like to take this opportunity to ask if anyone knows how to completely deactivate the cashtravel script (or whatever) and have my real deposit account again because I would like to withdraw everything I have in rewards... but for me, not for "others" "

Zibi321

newbie

Activity: 22

Merit: 1

Quote from: khaled0111 on May 02, 2024, 05:16:48 PM

Quote from: Zibi321 on May 02, 2024, 02:24:37 PM

I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.

I believe the vulnerability can't be exploited without a valid user ID and the attackers are definitely getting those IDs from the jackpot leader board. This explains why only a limited number of users were affected by this attack.
If freebitco.in team are aware of this ND didn't take any action, that's bad. If they aren't, that's even worse!

Quote from: Zibi321 on May 02, 2024, 03:09:28 PM

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.

The difference between your case and his is that he made a deposit while you didn't. Since you didn't make a deposit, the attacker probably decided to change his tactic by making you believe your account got banned.

Sure, but by "valid ID" they just need any ID of active user with some balance.
On fbc platform user ID is just an ordinal number defining when user registered himself.
So it can be any number from 1 to number_of_all_users (i.e the famous site creator - wetsuit has ID=4 - according to his referral link)
I think attackers can hijack any user session, but by doing it they would attract too much attention.
Lots of accounts are deleted, abandoned, inactive or with too low balance to do anything.
So for these obvious reasons there is no point to attack them all.
Attackers chose only small group of active accounts and that works.

I created account here to share info about it and warn you.
From the very beginning, because of newbie rank I was accused of being troll, spreading fud etc. - that was never my intention.
I'm aware that vast majority of fbc accounts are clean and not affected - sure, but for how long...
Just be careful guys.

Pissedoff@u

brand new

Activity: 0

Merit: 0

Code:
What happened: over the month of April, I had made large deposits of $2,000 at least three times and made my way into the monthly wagering contest. As one of the top 10, I ended up winning the contest at number 7 for a total of $500. Upon winning I received an email confirming my victory
https://i.imgur.com/rW1fvb7.png
However, less than a couple minutes later I noticed that my balance was drained and set to zero and I had gotten an email stating that I had made a withdrawal request which I did not make. I didn't even have time to.
https://i.imgur.com/mvHbjQf.png
I did not confirm the withdrawal as in I did not click the link. Therefore, it should be sent back to my balance within an hour.
I immediately started to change my 2fa and my passwords to keep my account secure.
https://i.imgur.com/svUWSzf.png
https://i.imgur.com/fjLAS4W.png

While in the meantime My unauthorized request was canceled because the hour had lapsed. And the money was put back into my account.
https://i.imgur.com/olzcwZM.png

I also had changed my deposit address into my crypto.com wallet and made that into my default address.
Scammed by freebitco.in https://imgur.com/gallery/3HUWdyy

I tried to cash it out however it got sent to a totally different address supposably my Bitcoin wallet on freebitco.in and it happened to be my old address so I changed my default address yet it sent it to my old address which I don't know how it did that
Here are two screenshots of how I don't even know this is possible.
https://i.imgur.com/UNGWjUh.png
https://i.imgur.com/1kUxsDW.png

Now since I enabled my 2fa. It made it so I no longer needed a to do a email confirmation before the deposit was sent so I never got a verification email.

However, I got a verification that the Bitcoin had been sent to this supposed old address which I never sent to. Furthermore, the balance never showed up.
https://i.imgur.com/pFhAN9p.png

Here is a screenshot of it being confirmed on the freebitco.in website saying that I got a deposit from myself, however it never showed up in my balance.
https://i.imgur.com/GHhcd9l.png

At that moment I was screwed. Here's a summary of what I think is going on.

Keep in mind that the owner of the website the Quinn fails to ever respond to problems his users face on his website. Here's the summary.

The 2fa thing is part of the scam.

They make a withdraw request which triggers the email.

As a result of an UN requested withdrawal the customer gets spooked and immediately changes there security settings in belief that this will help secure there account.

However, this is a trojan horse that that allows the withdrawal confirmation request to be disabled.

Thus, the original attacker is able to capitalize on the ignorance of the individual who is thinking there securing there account by enabling there 2fa security measures.

Using fear to trap the individual into unknowingly let there defense down and be luted by either hackers or some one on the inside or backend of the freebitco.in site.

It's genius really but completely f***** up

Either way, security or no security measures anyone can be targeted rendering this website
Extremely dangerous for anyone who has a balance.

This happened to me the other day right after I had won the wagering contest 7th place $500.

We can speculate all we want as to whether or not the websites secure .

But the fact that the matter is there's a few of us that would like to get the hard-earned money that we won.

So we can keep talking about what's wrong with the website or we can discuss how we're going to make reparations to these individuals.

However, if it's an inside job, there's little chance for recovering the funds other than reporting to the FTC and financial crimes units.

Mr. Quinn in my opinion is either part of The problem by allowing this to happen or he's directly involved. Either way, he's guilty by association because he knows his website's faulty and he fails to do anything about it.

And I also have another issue which I doubt will ever get solved. But I ordered a hardware wallet with my hard-earned reward points. I never got that wallet and I never got refunded my reward points but that's an issue for some other time I guess. Or that ship is already sailed which sucks.

:

Scammers Profile Link: https://bitcointalksearch.org/user/thequin-143168

https://freebitco.in/#

Reference Link: c2e76e8865c2757c040f0f58b12866eaa6d2426aea40b4dcedfb527e36e9f0bb ...

Amount Scammed:
0.00823099 BTC ($500)

Payment Method:
BTC on https://blockchain.com

Proof ofPayment: https://www.blockchain.com/explorer/transactions/btc/c2e76e8865c2757c040f0f58b12866eaa6d2426aea40b4dcedfb527e36e9f0bb...

USER ID 53314860

Quote from: Eternad on May 02, 2024, 11:06:47 AM

Quote from: Saint-loup on May 02, 2024, 10:27:53 AM

Quote from: Drazen2003 on May 02, 2024, 08:03:40 AM

Same issue. I have been stoled. When I withdrew a part of my savings by entering the correct address, the entire amount was sent to the deposit account (which is not mine).

After some emails and Facebook messages, Freebitco.in does not answer. Shameless!.

.

On the other side, i have blocked the script but the deposit address is still not the mine one and i cannot return to the real mine one.

Thanks in advance.

What do you mean by "sent to the deposit account (which is not mine)"?
A deposit address can't and will never be an address you own because it is (or it must be at least) an address belonging to the platform. When you deposit funds, the platform takes your funds and credits your account balance.
So you mean your funds have been sent to the same address as the one displayed for your deposits?
You say "the deposit address is still not the mine one and i cannot return to the real mine one" but how do you know it's not a legit deposit address? If you've used "New deposit address" feature, you won't be able to see the QR-code of the former one anymore but you will still see the address in the "old deposit addresses" history.

I was skeptical too when I saw this issue but judging on the number of customers from this casino experiencing same issue including high rank makes me think that somethings might wrong on the casino.

What worrying here is why these affected users don’t check the withdrawal confirmation sent via email address to verify whether they are sending on correct address or not. I read about some user complaints that the withdrawal confirmation show a different address which means this issue will be avoided if they only check the email verification.

Wrong because in my case I got no validation email. After I enable 2fa I didn't get validation email. when 2fa was NOT enabled however, I did get a verification email so it's not a issue of whether or not we're checking our emails because we were. We just never got them

khaled0111

legendary

Activity: 2520

Merit: 2853

Top Crypto Casino

Quote from: Zibi321 on May 02, 2024, 02:24:37 PM

I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.

I believe the vulnerability can't be exploited without a valid user ID and the attackers are definitely getting those IDs from the jackpot leader board. This explains why only a limited number of users were affected by this attack.
If freebitco.in team are aware of this ND didn't take any action, that's bad. If they aren't, that's even worse!

Quote from: Zibi321 on May 02, 2024, 03:09:28 PM

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.

The difference between your case and his is that he made a deposit while you didn't. Since you didn't make a deposit, the attacker probably decided to change his tactic by making you believe your account got banned.

Zibi321

newbie

Activity: 22

Merit: 1

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.
They had customized scripts, so every case can be different.
And since fbc is not quick to act, attackers had time to adapt and improve their scripts or even improve the whole attack scenario.

I sent email about 2 weeks ago, but still waiting for response.

Topic: [WARNING] Attack on freebitco.in account (Read 752 times)