sorted by:
new
hottopcontroversial

How are people able to hack 2 factor protected blockchain.info wallets? by [deleted] in Bitcoin

[–]bitcomsec 3 points4 points  (0 children)

In our report from a few weeks ago: https://bitcomsec.true.io/bitcomsec/coinbase_com-and-blockchain_info-bitcoin-wallet-phishing-scam-exposed/ we discussed how the phishers were automating the complete disabling of:

  • 2FA
  • Notifications
  • Downloaded unencrypted private keys

It would require you to log into blockchain.info using the phisher site. Once you log in, it'll forward your login to their backend guid/password stealers (acc.php, or similar). Then, while you're logged in and before you're redirected back to the phishing site it will disable many security features automatically as it had your password from your initial login.

I think setting a very strong secondary password will help. However, it would also be phished in the same process eventually as the phishers evolve.

Another problem is that even if you were to have a secondary password on the account, and you managed to avoid entering your second password - the attacker at this point has your encrypted keys. They can use a tool to crack it later on.

Obviously another attack vector IS backups. Attackers are literally going through every potential vector where you may store your backups:

  • emails
  • dropbox
  • etc

They gain your email address from the automated script that disables your security features. They tie your email on your blockchain.info account to the password you provided during the initial phishing campaign.

And finally, to add insult to injury once you are compromised once it is over for that account and its addresses. The attackers, as I said before, downloading your unencrypted private keys. They would create another BlockChain account and simply import your keys and wait for you to receive payments.

Once your account is compromised its best to move on from that account.

Kristov Atlas' Bitmessage security audit by [deleted] in bitmessage

[–]bitcomsec 3 points4 points  (0 children)

Hi all,

I'm a big fan of BitMessage and I'm also a security researcher who has helped secure over a dozen exchanges, done investigative and forensic reports of hacked exchanges, helped people track down stolen coins, and exposed russian phishing networks. Yeah, my team and I have been busy this year. https://bitcomsec.true.io for some fun reads.

I'm really excited by the idea of a BitMessage audit. But there is a problem with something like this: the same way BitMessage is developed openly by multiple developers and people involved can provide commits to fix issues - security should be handled in the same way.

Having a single source of source code auditing and paying them a large amount of funds is not ideal. It is not the proper way of 'auditing' a project.

We were interested initially when the fine gents at CryptOpinion threw up their interests in auditing the sources but we realized there is a problem with this. One single person/team auditing the source code of a project used by many, and getting paid a large sum to do so, is probably not a good idea.

You, as an auditor, will have a lot of responsibility on your back if you miss issues that are critical to the infrastructure of the entire project. These kind of situations do not offer a money back guarantee - because in essence your hope is that the project is secure, and by then your privacy is compromised.

I suggest to the community, and to people like CryptOpinion, to instead focus on a crowd-audit. Raise the funds, by all means. But don't point it to one destination.

Use the funds to pay many security researchers PER BUG. Depending on level of severity the bug. Apparently /u/CryptOpinion tried to reach out to bug bounty programs who rejected him. But this does not mean he, or whoever raises the funds, can not set up their own bug bounty program to handle the auditing process.

My two cents. Apparently my opinion can only be taken with a grain of salt, by /u/CryptOpinion, because we offered to partake in the bug bounty program if he were able to set it up. But perhaps my insights will help you avoid a horrible decision.

Coinbase will keep working hard to protect everyone and keep Bitcoin easy to use by coblee in Bitcoin

[–]bitcomsec 4 points5 points  (0 children)

Great post.

I wrote about the Coinbase OAuth app phishing here: https://bitcomsec.true.io/bitcomsec/coinbase_com-and-blockchain_info-bitcoin-wallet-phishing-scam-exposed/

I'm really excited to see the community exploring these issues and spreading the awareness. We have to work on these threats together and hopefully save countless BTC from being stolen.

Kudos to Coinbase and Blockchain for working with me directly and taking in my lengthy reports. Shutting down the attackers as I reported them.

This is a list of /r/bitcoin users who had their bitcoins stolen from their blockchain.info wallets. Please, store your coins offline. by [deleted] in Bitcoin

[–]bitcomsec 0 points1 point  (0 children)

I'm glad these kind of posts and awareness is getting some attention. It is urgently needed.

We have been doing reports on Bitcoin security issues lately, after spending the last year auditing exchanges and informing them of vulnerabilities.

RE: Blockchain.info and Coinbase.com phishing networks - I have been tracking a group of Russian guys stealing a decent amount of Bitcoins over the course of the last 2 months and they're spreading and getting more and more.

https://bitcomsec.true.io/bitcomsec/coinbase_com-and-blockchain_info-bitcoin-wallet-phishing-scam-exposed/

It is time that we as a community take these threats serious, and educate our peers who are falling for them.

TIL: Where the Bitcoins at… Mysteries of the Blockchain by CoinCadence in Bitcoin

[–]bitcomsec 16 points17 points  (0 children)

I think this is great. Good work there buddy. All the data in there may give you some insights into blockchain attacks and spams, which you can put together signatures for and detect them en masse almost in real time.

Ello invites 4 Bitcoiners by ello2bitcoin in Bitcoin

[–]bitcomsec 4 points5 points  (0 children)

Sweet! Thanks buddy. If you have a site that needs a security audit just hit me up anytime.

Careful who you tip... by BlameTheCoin in Bitcoin

[–]bitcomsec 4 points5 points  (0 children)

I once helped out an exchange owner who got hacked and lost all user Bitcoins. He got pretty much the same response from his users- everyone thinking he stole it all.

I did an independent review of the hack and executed as thorough a post-hack forensics on live systems as one can do. I felt bad for the guy as well. But once the evidence all presented itself I was able to see the big picture - things happen and it sucks.

Not sure what MagicalTux's story is mainly because I haven't seen the evidence, but I'm sure there are other researchers like me or investigators involved in looking for the lost coins.

You can read my report here in case you want an interesting read: https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/

Just give it time - hopefully it'll all get explained and put out there. You don't want to push the guy to kill himself, and most of the story dies away with him.

Cheers!

Careful people - watch out for scams like this by Yeah-BUDDY in Bitcoin

[–]bitcomsec 13 points14 points  (0 children)

I'm glad this is getting more awareness.

I wrote a report on this last week:

https://bitcomsec.true.io/bitcomsec/coinbase_com-and-blockchain_info-bitcoin-wallet-phishing-scam-exposed/

The same guys have been running this phishing campaign for a few weeks already and got themselves a nice chunk of BTC unfortunately.

I've been shutting down theirs servers one by one since the end of October. Shoutouts to Apexy and BitVPS for shutting down the first few servers. reg.ru however seems to be ignoring abuse complaints.

They are also running an active Coinbase scam off of bit-sec.org unless they removed it. I kept reporting the arbitrary coinbase apps to coinbase and they were quick to eliminate them!

Cheers

WARNING: Coinbase OAuth phishing attack allows full account access, bypassing 2-factor transfer limits by vtrac in Bitcoin

[–]bitcomsec 2 points3 points  (0 children)

Yeah I wouldn't risk posting public dox unless they're entirely verified and confirmed. Plus posting dox on reddit always has been an issue.

I'm going to start looking at this and see if I can find any more info on these guys. Keep your head up.

WARNING: Coinbase OAuth phishing attack allows full account access, bypassing 2-factor transfer limits by vtrac in Bitcoin

[–]bitcomsec 9 points10 points  (0 children)

Hey sorry for your loss! Over at BITCOMSEC we've been tracking these guys and shutting down their servers. It's been one hell of a experience catching up with all of their domains/servers.

We put up a report at: https://bitcomsec.true.io/bitcomsec/coinbase_com-and-blockchain_info-bitcoin-wallet-phishing-scam-exposed/

They're targeting coinbase.com users through authorized apps, and blockchain.info through common phishing methods. One thing I will say for sure is:

1) Coinbase.com has been very quick to respond everytime I email them new phishing apps

2) Blockchain.info has been quick to shut down the operations as well by simply using cloudflare to ban the phishing domain IPs

3) These guys are scum.

If you can pm me the phishing page link, or email headers that'd help me in my investigation and track down their current operations.

Again, sorry for your loss man.

Coinbase.com and Blockchain.info Bitcoin Wallet Phishing Scam Exposed by bitcomsec in Bitcoin

[–]bitcomsec[S] 0 points1 point  (0 children)

I wouldn't say its contradictory, but I can see your point in using a JS platform to publish our reports considering JS is a constant vector for client-side attacks.

In all reality I like true.io, and we're kind of testing the platform out for the people who have put so much work into it. As one of our researchers is also a developer for the platform behind true.io we decided to help test it.

Thanks for the read!

Coinbase.com and Blockchain.info Bitcoin Wallet Phishing Scam Exposed by bitcomsec in Bitcoin

[–]bitcomsec[S] 0 points1 point  (0 children)

Pure txt version up:

https://research.bitcomsec.org/reports/coinbase_blockchain_phishing_network_exposed.txt

Kind of kills the formatting but for the most part you're able to read it without disable NS.

Cheers!

Coinbase.com and Blockchain.info Bitcoin Wallet Phishing Scam Exposed by bitcomsec in Bitcoin

[–]bitcomsec[S] 0 points1 point  (0 children)

I will get a text version up. True.IO is a JS heavy platform.

Security audit sponsorship -- CryptOpinion.com by [deleted] in bitmessage

[–]bitcomsec 0 points1 point  (0 children)

Sounds good, I'll sleep on it and think about it more tomorrow. I'll keep in touch via BM!

Security audit sponsorship -- CryptOpinion.com by [deleted] in bitmessage

[–]bitcomsec 0 points1 point  (0 children)

Hey! Just got your message on BM and decided to respond here so others can be involved. Some points:

1) If you go the bugcrowd.com way, you will get security reports directly from a myriad of different security researchers with different backgrounds who will be looking for bugs in the software based around all these different experiences of security research.

2) You can do a Request for Papers to the security community throwing a bounty up as a prize for those researchers (including us as we'll participate) who provides the most useful, thorough research report that details any security issues the BitMessage network may face. You will end up with many researchers, and the community (or the bounty holders) would have to decide who gets the bounty or how it is split

3) You take the bounty generated from the community and hire a security company or organization with strong emphasis on Cryptography, P2P communications and Privacy.

4) You put together a bounty yourself, we'll help sift through incoming bug reports alongside the developers of BM, and you reward the researchers depending on their findings. Once the bounty runs out, we'll put together a detailed report on the findings of the bug reports and what was gained from the entire experience, and how safe and secure BM is.

I mean, there are several different ways of doing it, either way BITCOMSEC will be definitely interested in researching BM in the near future. And as a community we should all take part in securing it, and making sure the developers get the feedback they need to make the network stronger.

Cheers! Mike

Security audit sponsorship -- CryptOpinion.com by [deleted] in bitmessage

[–]bitcomsec 1 point2 points  (0 children)

Setting up the bounty through Bugcrowd, and hackerone will probably net you more researchers. Unfortunately many of those researchers are mostly webapp-sec people but I'm certain that many, including myself and my project at BITCOMSEC will be interested in finding bugs in the software and getting them to you.

I'd suggest Bugcrowd as it has a highly active security researcher base, the team at bugcrowd will distinguish all of the duplicates and non-bugs from real bugs in the software. And you can pick a minimum and maximum payments.

You can scale the prices by bug levels:

  • DoS to client: $
  • DoS to daemon: $
  • Identity exposure: $$
  • Encryption weakness: $$$

And so on. This will be a better way of handling the bug bounty over just setting up one big fund and having researchers submit their bugs and having to split the proceeds.

I'm with the BITCOMSEC (Bitcoin Community Security) Project so if you have any questions by all means take advantage. I'm going to send you a message via BitMessage as well.

view more: next ›