Pages:
Author

Topic: [WARNING] Attack on freebitco.in account (Read 1062 times)

hero member
Activity: 2044
Merit: 784
Leading Crypto Sports Betting & Casino Platform
August 31, 2024, 10:17:15 AM
#44
Nothing is being done to fix the issues on the platform. WoF daily spins aren't paid anymore since more than a month ago. Hardly ever their new support account replies on the official thread on this forum at gambling section, and when he does, it's just to give false hopes and expectations to users, as everything he says never happens for real.

It's a total disrespect and lack of consideration what freebitco.in is doing to their long term users, who are already part of this platform for several years. Personally, I'm there for almost 9 years, accessing the platform in a daily basis, promoting their services and adopting the features they offer.

If the site owners don't want to continue operating the website for some reason, they should just come publicly, explain the situation to the userbase and shut down the website, like other casinos have already done in the past, stipulating a timeframe for the members to cashout their funds safely.

The way freebitco.in is dying is shameful and disgusting. Even to die you must have honor, otherwise there is no legacy and all the living years will have meant nothing.
legendary
Activity: 2254
Merit: 2003
A Bitcoiner chooses. A slave obeys.
August 26, 2024, 05:47:46 PM
#43
I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.
I believe the vulnerability can't be exploited without a valid user ID and the attackers are definitely getting those IDs from the jackpot leader board. This explains why only a limited number of users were affected by this attack.
If freebitco.in team are aware of this ND didn't take any action, that's bad. If they aren't, that's even worse!

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.
The difference between your case and his is that he made a deposit while you didn't. Since you didn't make a deposit, the attacker probably decided to change his tactic by making you believe your account got banned.

Perhaps there is a chance that the ones behind this is them themselves. Some kind of exit scam strategy, maybe? Or maybe they really did get hacked by an unknown third party and are too incompetent to react quickly and effectively.

Bad news for the victims either way.

I would stay away from freebitco.in for the time being until this ordeal gets sorted.
newbie
Activity: 16
Merit: 0
August 26, 2024, 05:37:04 PM
#42
except that i sended 2000€ to an address that has been changed my account has been drained aswell

Thats another 19300€ worth of bitcoin.

The reason I started a topic Bitcoin is hacked and they are well aware of it.
You can not tell me that after so many people mailed them or contacted them in other ways they are not informed.
second its inpossible to change the sourcecode of a website, to change the intro page you must have access to the server and since the server is protected by cloudflare it is not that easy. therefor there is no such a thing of an injection of a wrong script, its already loaded as soon as you go to the site.

blocking the javascript results in not be able to log in nor to get the accountaddress back.

I have a ugly feeing that we all got scammed by a website and address held on the virgin islands, and that those 2 boys scouts are nicely vanished with our money.




jr. member
Activity: 143
Merit: 1
ID 51895659 so you are the one bump me from the first place all the time!

Anyway it seeems FBC is waking up, first Thequin has recently logged in, the script is of the page and the number 10 lambo winner has been announced even the outcome was already as expected.

Anyhow since the script was loaded from his website FBC is responsible, even you have injoyed our 12,5 BTC for your riant holiday.

So et me know when you are going to send me the 2000€ and 19300€ back.

I don't think so, I only appeared sporadically in the top 10. I never got to 1st. position.
newbie
Activity: 16
Merit: 0
ID 51895659 so you are the one bump me from the first place all the time!

Anyway it seeems FBC is waking up, first Thequin has recently logged in, the script is of the page and the number 10 lambo winner has been announced even the outcome was already as expected.

Anyhow since the script was loaded from his website FBC is responsible, even you have injoyed our 12,5 BTC for your riant holiday.

So et me know when you are going to send me the 2000€ and 19300€ back.
jr. member
Activity: 143
Merit: 1
I keep sending emails to support, to TheQuin, and waiting for someone responsible for Freebico.in to answer me something, TheQuin, Support, or whoever.

I won't stop until my stolen money is returned.

My Freebitco.in ID: 51895659
newbie
Activity: 22
Merit: 1
So it looks like the second wave of attacks has been completed.
Attackers github profile has been deleted and malicious script removed from cdn site.
I believe that again it was done by the attackers to cover their tracks.
No evidence, so nothing to prove.

It's only matter of time when they strike again and whole history will come full circle.
As long as the vulnerability is not patched the attacker can exploit it whenever he wants.
Of course, he should not exaggerate so not to draw too much attention.
Small group of high rollers will be attacked again, they will report an issue, but no one will believe it. They will be accused of spreading fud/trolling etc, because other accounts will be working as usual.
Even after so many reports there are still users who are deeply convinced that issue is on clients side, that our machines got compromised/got malware...etc
It just show how this method is effective.
jr. member
Activity: 143
Merit: 1
I see that script is gone, and now my actual deposit address appears.

Unfortunately, the withdrawal of my entire balance had already been made and it went to an unknown address.
Thinking it was safer, I had previously activated 2FA, so I did not receive the confirmation email, the withdrawal was made direct.
I lost a lot of money.

I sent a PM to TheQuin, to try to get him to respond to me something, if he can take action on this, to maintain the reputation of the site.
jr. member
Activity: 57
Merit: 1
Update 11.50 am CET.

Thanks again @Zibi321 for starting the post and for sharing with us your technical knowledge in this topic.

Good and bad news.

I finally see my correct deposit address again and there is not evidences about the scripts.

   
SELECT A TAG TO VIEW ITS STATS

   

       


We are making noise and seems that hackers are reading us because the scripts are out but i don't know if Freebitco.in has made something to resolve the issue or the hackers have removed the scripts to calm us down and can attack whenever they want again.

No one from freebitco.in has contacted me or responded to any of the emails sent.

My trust in Freebitcoin = 0%
jr. member
Activity: 130
Merit: 3

Of course I could be wrong, but from my point of view attackers are able to put link into particular place on fbc website.
And it's exactly:
FBC -> "REFER" tab -> "ADVANCED TRACKING USING TAGS" button -> "SELECT A TAG TO VIEW ITS STATS" and link is hidden in drop down list.
It was not visible from GUI, but it was somehow placed into html code.

Link leads to malicious script which is executed during website loading.
And because of it website content can be modified.

Not affected accounts don't have any links placed/injected into their session in that location.

I clicked the advanced tracking using tags button just days prior to the wagering contest results.

jr. member
Activity: 143
Merit: 1
Zibi321,

I see the same shit on my side:
newbie
Activity: 22
Merit: 1
except that i sended 2000€ to an address that has been changed my account has been drained aswell

Thats another 19300€ worth of bitcoin.

The reason I started a topic Bitcoin is hacked and they are well aware of it.
You can not tell me that after so many people mailed them or contacted them in other ways they are not informed.
second its inpossible to change the sourcecode of a website, to change the intro page you must have access to the server and since the server is protected by cloudflare it is not that easy. therefor there is no such a thing of an injection of a wrong script, its already loaded as soon as you go to the site.

blocking the javascript results in not be able to log in nor to get the accountaddress back.

I have a ugly feeing that we all got scammed by a website and address held on the virgin islands, and that those 2 boys scouts are nicely vanished with our money.

Of course I could be wrong, but from my point of view attackers are able to put link into particular place on fbc website.
And it's exactly:
FBC -> "REFER" tab -> "ADVANCED TRACKING USING TAGS" button -> "SELECT A TAG TO VIEW ITS STATS" and link is hidden in drop down list.
It was not visible from GUI, but it was somehow placed into html code.

Link leads to malicious script which is executed during website loading.
And because of it website content can be modified.

Not affected accounts don't have any links placed/injected into their session in that location.
Affected user i.e @Drazen2003:
    
SELECT A TAG TO VIEW ITS STATS

    

        
 
Not affected user:
    
SELECT A TAG TO VIEW ITS STATS

    

        
newbie
Activity: 16
Merit: 0
except that i sended 2000€ to an address that has been changed my account has been drained aswell

Thats another 19300€ worth of bitcoin.

The reason I started a topic Bitcoin is hacked and they are well aware of it.
You can not tell me that after so many people mailed them or contacted them in other ways they are not informed.
second its inpossible to change the sourcecode of a website, to change the intro page you must have access to the server and since the server is protected by cloudflare it is not that easy. therefor there is no such a thing of an injection of a wrong script, its already loaded as soon as you go to the site.

blocking the javascript results in not be able to log in nor to get the accountaddress back.

I have a ugly feeing that we all got scammed by a website and address held on the virgin islands, and that those 2 boys scouts are nicely vanished with our money.



newbie
Activity: 22
Merit: 1
Yes, but in my case it was different.
Please read the point 1. from  my first post in this topic.
My deposit address also has changed but after about 2 weeks backed to normal.

I believe that this whole attack campaign started in second half of March.
At that time was reading first posts about change in deposit addresses.
My account was attacked in the first wave, but now when I read about new victims(second wave?) it looks like attackers much improve themself.
Hijacking sessions, making unauthorized withdrawals and bypassing 2FA - it looks very serious.

Edit:
According to information shared from user @Drazen2003
There is completely new link injected  into his session.
New link leads to new malicious script:
https://cdn.jsdelivr.net/gh/feleryunfbc/js/jquery.min.js

I did some investigation and it looks like about 23th April started the second wave of attacks.
That day attacker created his account on github and placed there new malicious script.
After that he published it on cdn site.
Attacker profiles:
https://github.com/feleryunfbc
https://www.jsdelivr.com/package/gh/feleryunfbc/js?tab=files
 
jr. member
Activity: 57
Merit: 1
No, nothing.
Yesterday the link was still there.
When claiming free rolls/WoFs I was always checking if it's still there.
I guess things are slowly getting sorted.
Pity, that there is absolutely no communication from fbc to community.

Thanks a lot @Zibi321. I hope so because, of course, i cannot use the page because i have the script and the Deposit Address is not the mine one (I tried to change it but the main still is the fake one where my funds where sent).

In your case, if you let me the question, your deposit address was changed too? Now, without the script... is the old one for you?
newbie
Activity: 22
Merit: 1
No, nothing.
Yesterday the link was still there.
When claiming free rolls/WoFs I was always checking if it's still there.
I guess things are slowly getting sorted.
Pity, that there is absolutely no communication from fbc to community.
jr. member
Activity: 57
Merit: 1
Link to malicious script disappeared today from my user session.
It is no longer visible in website's html code.

Today:


Before:


Congrats!!

The mine one is still alive and the deposit address is still false after at least 48 hours. Tested in 2 different PCs, 3 different navigators and 1 mobile phone.

Have you done anything to recover the normallity?
newbie
Activity: 22
Merit: 1
Link to malicious script disappeared today from my user session.
It is no longer visible in website's html code.

Today:
https://www.talkimg.com/images/2024/05/04/rjZrI.png

Before:
https://www.talkimg.com/images/2024/04/09/j2Gi8.png
jr. member
Activity: 57
Merit: 1
I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.
I believe the vulnerability can't be exploited without a valid user ID and the attackers are definitely getting those IDs from the jackpot leader board. This explains why only a limited number of users were affected by this attack.
If freebitco.in team are aware of this ND didn't take any action, that's bad. If they aren't, that's even worse!

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.
The difference between your case and his is that he made a deposit while you didn't. Since you didn't make a deposit, the attacker probably decided to change his tactic by making you believe your account got banned.

Sure, but by "valid ID" they just need any ID of active user with some balance.
On fbc platform user ID is just an ordinal number defining when user registered himself.
So it can be any number from 1 to number_of_all_users (i.e the famous site creator - wetsuit has ID=4 - according to his referral link)
I think attackers can hijack any user session, but by doing it they would attract too much attention.
Lots of accounts are deleted, abandoned, inactive or with too low balance to do anything.
So for these obvious reasons there is no point to attack them all.
Attackers chose only small group of active accounts and that works.

I created account here to share info about it and warn you.
From the very beginning, because of newbie rank I was accused of being troll, spreading fud etc. - that was never my intention.
I'm aware that vast majority of fbc accounts are clean and not affected - sure, but for how long...
Just be careful guys.

First of all, thanks @Zibi321 for opening the case.

It's a pity that freebitcoin does not respond because I still have my account hacked, with the script visible and active (after more than 24 hours) that, although if I block it with noads, shows me an incorrect deposit account in the deposit window. I would leave full control to Freebitco.in if I can help but I don't even have a response to the problem in my email.

I would like to take this opportunity to ask if anyone knows how to completely deactivate the cashtravel script (or whatever) and have my real deposit account again because I would like to withdraw everything I have in rewards... but for me, not for "others" "
newbie
Activity: 22
Merit: 1
I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.
I believe the vulnerability can't be exploited without a valid user ID and the attackers are definitely getting those IDs from the jackpot leader board. This explains why only a limited number of users were affected by this attack.
If freebitco.in team are aware of this ND didn't take any action, that's bad. If they aren't, that's even worse!

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.
The difference between your case and his is that he made a deposit while you didn't. Since you didn't make a deposit, the attacker probably decided to change his tactic by making you believe your account got banned.

Sure, but by "valid ID" they just need any ID of active user with some balance.
On fbc platform user ID is just an ordinal number defining when user registered himself.
So it can be any number from 1 to number_of_all_users (i.e the famous site creator - wetsuit has ID=4 - according to his referral link)
I think attackers can hijack any user session, but by doing it they would attract too much attention.
Lots of accounts are deleted, abandoned, inactive or with too low balance to do anything.
So for these obvious reasons there is no point to attack them all.
Attackers chose only small group of active accounts and that works.

I created account here to share info about it and warn you.
From the very beginning, because of newbie rank I was accused of being troll, spreading fud etc. - that was never my intention.
I'm aware that vast majority of fbc accounts are clean and not affected - sure, but for how long...
Just be careful guys.
Pages:
Jump to: