bitbully



Offline



Activity: 47

Merit: 0







NewbieActivity: 47Merit: 0 How I got robbed of 34 btc on Mt.Gox today April 11, 2013, 10:44:19 AM

Last edit: April 22, 2013, 01:40:59 AM by bitbully #1



I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.



http://imageshack.us/a/img24/381/mtgoxchat.jpg



Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.



------------------------------------------------------------

Dear bitbull,



There has been a withdrawal from your Mt.Gox account:



Transaction reference: 97235bfd-9909-4020-9f06-e9d318c1ef7f



Date: 2013-04-11 02:06:22 GMT



IP: 198.203.29.120



You can access your account history for more details.



Please contact us as soon as possible by replying to this email if you did not request this withdrawal.



Thanks,



The Mt.Gox Team

------------------------------------------------------------



I immediately responded back to them, but what I discovered is that the withdrawal had been instantly processed and already confirmed in the blockchain:



https://blockchain.info/tx/bb30f2f110ba5b7bb60812bc3d7744f5086f6b4a38439566f1888a8d26e1fbec



http://imageshack.us/a/img805/9832/mtgoxwithdraw.png



which left less than a third of a bitcoin in my account. I then realized that this withdrawal happened at the EXACT time i accessed the mtgox-chat website based on my browser history. I then realized that I only received my notification email from them much after the fact apparently because their servers are overloaded and not functioning correctly.



Being a techie, I started researching. I found out that this site is hosted here in the USA. I also found out that the withdrawal was submitted from an IP in Los Angeles even though I have been accessing mtgox from Pennsylvania / New York. I then discovered that the site is a teleport pro rip of bitcoincharts.com branded with a mtgox logo, and was registered on namecheap (with bitcoins as it may be) not even 5 days ago! This is the IP resolve of the domain name.



http://imageshack.us/a/img835/1841/serverip.jpg



I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started. It also contains an additional keylogger payload, all customized specifically for mtgox. They even "offer" an easy to use file download link for those whose browsers are not running java. This script INSTANTANEOUSLY initiated a mtgox withdrawal of nearly all my btc (34btc) in the background (I was logged into mtgox on that browser, seemed to be using some form of proxy to access my browser cookie cache it would seem) and then changed the account password so I couldn't login anymore. This was proven to be 100% automatic as the withdrawal occurred the same exact minute I accessed that website for the first time.



It then continued to gather all my computer passwords and logged everything I was doing including my blockchain account (as I eventually located the log files) and then sent it to the hackers / script kiddies. Luckily I have dual password protection on my blockchain wallet otherwise all my other bitcoins would be gone too. I wouldn't just call them just script kiddies because this script was very specific and well written for the mtgox website. I had two antiviruses running and neither caught it. Only later malwarebytes picked it up as a well encoded trojan payload executable.



http://imageshack.us/a/img841/2209/malwaren.jpg



Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!



http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/



Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...



This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!



Any advice is very much appreciated.





UPDATE 4/21/13



I got my coins back



https://bitcointalk.org/index.php?topic=173227.msg1907593#msg1907593



But other's are still suffering.



http://www.reddit.com/r/Bitcoin/comments/1cokps/java_exploit_stole_all_my_btc/



I'll be the first to buy a hardware wallet... So at 10:06pm ET on April 10th 2013 I was on btc-e reading the chat box. Then and there someone posted a link to www mtgox-chat info (do not open unless you know what you are doing) claiming a video announcement that mtgox was going to start trading litecoins.I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.------------------------------------------------------------Dear bitbull,There has been a withdrawal from your Mt.Gox account:Transaction reference: 97235bfd-9909-4020-9f06-e9d318c1ef7fDate: 2013-04-11 02:06:22 GMTIP: 198.203.29.120You can access your account history for more details.Please contact us as soon as possible by replying to this email if you did not request this withdrawal.Thanks,The Mt.Gox Team------------------------------------------------------------I immediately responded back to them, but what I discovered is that the withdrawal had been instantly processed and already confirmed in the blockchain:which left less than a third of a bitcoin in my account. I then realized that this withdrawal happened at the EXACT time i accessed the mtgox-chat website based on my browser history. I then realized that I only received my notification email from them much after the fact apparently because their servers are overloaded and not functioning correctly.Being a techie, I started researching. I found out that this site is hosted here in the USA. I also found out that the withdrawal was submitted from an IP in Los Angeles even though I have been accessing mtgox from Pennsylvania / New York. I then discovered that the site is a teleport pro rip of bitcoincharts.com branded with a mtgox logo, and was registered on namecheap (with bitcoins as it may be) not even 5 days ago! This is the IP resolve of the domain name.I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started. It also contains an additional keylogger payload, all customized specifically for mtgox. They even "offer" an easy to use file download link for those whose browsers are not running java. This script INSTANTANEOUSLY initiated a mtgox withdrawal of nearly all my btc (34btc) in the background (I was logged into mtgox on that browser, seemed to be using some form of proxy to access my browser cookie cache it would seem) and then changed the account password so I couldn't login anymore. This was proven to be 100% automatic as the withdrawal occurred the same exact minute I accessed that website for the first time.It then continued to gather all my computer passwords and logged everything I was doing including my blockchain account (as I eventually located the log files) and then sent it to the hackers / script kiddies. Luckily I have dual password protection on my blockchain wallet otherwise all my other bitcoins would be gone too. I wouldn't just call them just script kiddies because this script was very specific and well written for the mtgox website. I had two antiviruses running and neither caught it. Only later malwarebytes picked it up as a well encoded trojan payload executable.Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!Any advice is very much appreciated.I got my coins backBut other's are still suffering.I'll be the first to buy a hardware wallet...