How I got robbed of 34 btc on Mt.Gox today

So at 10:06pm ET on April 10th 2013 I was on btc-e reading the chat box. Then and there someone posted a link to www mtgox-chat info (do not open unless you know what you are doing) claiming a video announcement that mtgox was going to start trading litecoins.

I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. I then forgot about this website.

Some while later at approx 11pm, I received an email. This was an email from mtgox that a withdrawal had taken place. I thought this was a joke.

------------------------------------------------------------
Dear bitbull,
 
There has been a withdrawal from your Mt.Gox account:
 
Transaction reference: 97235bfd-9909-4020-9f06-e9d318c1ef7f
 
Date: 2013-04-11 02:06:22 GMT
 
IP: 198.203.29.120

You can access your account history for more details.

Please contact us as soon as possible by replying to this email if you did not request this withdrawal.

Thanks,

The Mt.Gox Team
------------------------------------------------------------

I immediately responded back to them, but what I discovered is that the withdrawal had been instantly processed and already confirmed in the blockchain:

https://blockchain.info/tx/bb30f2f110ba5b7bb60812bc3d7744f5086f6b4a38439566f1888a8d26e1fbec

which left less than a third of a bitcoin in my account. I then realized that this withdrawal happened at the EXACT time i accessed the mtgox-chat website based on my browser history. I then realized that I only received my notification email from them much after the fact apparently because their servers are overloaded and not functioning correctly.

Being a techie, I started researching. I found out that this site is hosted here in the USA. I also found out that the withdrawal was submitted from an IP in Los Angeles even though I have been accessing mtgox from Pennsylvania / New York. I then discovered that the site is a teleport pro rip of bitcoincharts.com branded with a mtgox logo, and was registered on namecheap (with bitcoins as it may be) not even 5 days ago! This is the IP resolve of the domain name.

I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started. It also contains an additional keylogger payload, all customized specifically for mtgox. They even "offer" an easy to use file download link for those whose browsers are not running java. This script INSTANTANEOUSLY initiated a mtgox withdrawal of nearly all my btc (34btc) in the background (I was logged into mtgox on that browser, seemed to be using some form of proxy to access my browser cookie cache it would seem) and then changed the account password so I couldn't login anymore. This was proven to be 100% automatic as the withdrawal occurred the same exact minute I accessed that website for the first time.

It then continued to gather all my computer passwords and logged everything I was doing including my blockchain account (as I eventually located the log files) and then sent it to the hackers / script kiddies.  Luckily I have dual password protection on my blockchain wallet otherwise all my other bitcoins would be gone too. I wouldn't just call them just script kiddies because this script was very specific and well written for the mtgox website.  I had two antiviruses running and neither caught it. Only later malwarebytes picked it up as a well encoded trojan payload executable.

Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police". They should compensate me 100%. First because their site is not secured against such rudimentary attacks as has been demonstrated today. I'm not the first and certainly not the last so long as they don't deal with this. Second because their security policy should account for such instances, and I did not even have an opportunity to warn them I did not make the withdrawal. Yet most importantly, BECAUSE THEY SHOULD HAVE KNOWN ABOUT THIS OVER 3 DAYS AGO!!!

http://www.reddit.com/r/Bitcoin/comments/1bvl4n/beware_when_clicking_any_link_from_chatboxesirc/

Yeah, I'm stupid, I should have enabled a Yubikey or other 2nd auth method when bitcoins started exploding in value ... but still, this attack is rather basic and should not be possible on a site at the level of Mt. Gox. I can only imagine how people with larger amounts would feel if clicking on a link emptied their account $10k+...

This is a serious loss for me, and unless this is handled correctly this can also badly affect the community. I know they are super busy as they are backlogged with over 10,000 account verifications - I can only hope this gets handled appropriately. Does anyone have any advice how to go about contacting mtgox, they are so busy they don't even realize someone has a specialized phishing operation running to rob their customers!

Any advice is very much appreciated.

Internet explorer?

Use firefox with noscript, would have probably prevented xss.  As for the 0day javascript exploit, no script will save your bacon their two, only allow scripts you can identify and trust.

That keylogger it ran, was it actually installed to the system or was it just running in the browser?  Boy thats win 8 for ya.

change ur email and banking passwords. after you've done a clear install.

consider linux or os x

Thx doobadoo for the advice.

Moved to a clean system until I wipe infected one, all passwords reset, was using chrome and win7 and you don't have to tell me I know the risks of using Microsoft. I'm on top of my security, always have been but this trojan was well crafted, I mean when the incentive is there you'll have the entire online underground mafia programming these things. These guys must be making a killing. I think the payload was both a browser java instance and custom keylogger executable. But I'm not an expert all I know is the second I clicked on that site my bitcoins were withdrawn near instantaneously, and I had mtgox.com open and logged in on another tab.

Crossing my fingers mtgox will help.

Are we sure the trojans have anything to do with the attack? He may just be coincidentally ALSO infected by some trojans from some bad software he d/led and installed. He says the coins were tx instantly when he clicked the poisoned link.  That smells like xss.  he was logged in to gox, executed some bad javascript and that script injected it into the gox script running in the next tab and transferred whatever coin he had in gox to a withdrawal address.  No need to upload account credentials, just grab whats there. 

There's really no evidence here that this is Mt Gox's fault. Most likely, it's an exploit that takes over control of the browser. If you had a Mt. Gox window open, it can read any information or click any links that you can. The vulnerability is most likely in your JVM or in your browser. (Unless it's an XSS thing, in which case it could be at least partially Mt. Gox's fault, but honestly I think that's less likely.)

Of course, that's not to place any blame on you. Yes, you could have run the browser in a VM you only use for Gox and close it any time you're going to do anything else and sweep your computer for malware before you open the VM and keep the VM encrypted and ....

But then basic stuff would be pretty incredibly hard, wouldn't it?

I had two antiviruses running and neither caught it.

It's the job of these antiviruses to protect you from malicious stuff like this, and they failed you. Of course, providers of antivirus software take no responsibility for the reliability of their software.

I'm really sorry for what happened to you, but here it's not Mt. Gox fault.

There's no threat model that can take complete client compromise into account, except maybe dual-factor auth on any withdrawal, but even that would only protect you until you make an authenticated operation, then the attacket can fake the pages so that you think you are sending a BTC to someone and instead you are sending all to them.

To get an idea of how unsafe is running untrusted Java hang around here http://java-0day.com/
Always use click-to-play, and well, don't click.

My only suggestion here can be: use exchanges as exchanges, and keep a nice offline wallet for savings. Seriously, it's easy, you don't have to trust the site and it doesn't get hacked. You can have one for 35$ (https://gist.github.com/FiloSottile/3646033)

Thanks for the input guys. I know that my software choices in life may have made me more vulnerable to such attacks. But all the technical details aside, it's CLEAR that this site is built and targeted methodically at mtgox users, and that these perps are doing their best to attack mtgox users however they can. Whether that means through phishing scams, xss, keyloggers, java exploits, human social engineering, etc... mtgox should take a proactive role in curving these attempts.

The reason I chose mtgox is because they are the biggest and most well known. My assumption is that I would be insured against such common hacking tactics. They are holding massive amounts of wealth and just like banks, forex companies, and paypal, mtgox should bare a certain degree of responsibility for hacked accounts. I don't think we can expect the masses to adopt bitcoins if they need to have a degree in IT security just to protect their funds, none the less in a hosted soft wallet environment.

Jr. Member

Offline

Posts: 13

Firstbits: 1aydnf

Ignore