Hackers Hijack DNS For Lumens Cryptocurrency Site 'BlackWallet', Steal $400,000 (bleepingcomputer.com) 95
An anonymous reader quotes BleepingComputer:
Unknown hackers (or hacker) have hijacked the DNS server for BlackWallet.co, a web-based wallet application for the Stellar Lumen cryptocurrency (XLM), and have stolen over $400,000 from users' accounts. The attack happened late Saturday afternoon (UTC timezone), January 13, when the attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to their own server. "The DNS hijack of Blackwallet injected code," said Kevin Beaumont, a security researcher who analyzed the code before the BlackWallet team regained access over their domain and took down the site. "If you had over 20 Lumens it pushes them to a different wallet," Beaumont added...
According to Bleeping Computer's calculations, as of writing, the attacker collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate. The BlackWallet team and other XLM owners have tried to warn users via alerts on Reddit, Twitter, GitHub, the Stellar Community and GalacticTalk forums, but to no avail, as users continued to log into the rogue BlackWallet.co domain, enter their credentials, and then see funds mysteriously vanish from their wallets.
According to Bleeping Computer's calculations, as of writing, the attacker collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate. The BlackWallet team and other XLM owners have tried to warn users via alerts on Reddit, Twitter, GitHub, the Stellar Community and GalacticTalk forums, but to no avail, as users continued to log into the rogue BlackWallet.co domain, enter their credentials, and then see funds mysteriously vanish from their wallets.
XML (Score:1)
"at the current XML/USD exchange rate"
Microsoft's going to be happy with their XML (ab)use!
A fool and his tulip is soon separated (Score:1)
Unless he finds a bigger fool to sell it too before the bubble bursts.
Yes I am sad I didn't get in on this bubble at the beginning but not that sad. Let's face it: Bitcoin is no longer behaving like a currency. It's now a speculative game like tulips.
Alas I am late to this game and you should never enter a market when it looks like the bubble is about to burst.
Not that sad anyway because it's a gamble. If you're kicking yourself for missing the Bitcoin bubble why not invest in some other cryptocurrency now?
Re: (Score:2)
Ethereum is rising, slowly.. but rising.
Re: (Score:2)
Unless he finds a bigger fool to sell it too before the bubble bursts.
Yes I am sad I didn't get in on this bubble at the beginning but not that sad. Let's face it: Bitcoin is no longer behaving like a currency. It's now a speculative game like tulips.
Alas I am late to this game and you should never enter a market when it looks like the bubble is about to burst. Not that sad anyway because it's a gamble. If you're kicking yourself for missing the Bitcoin bubble why not invest in some other cryptocurrency now? Yeah. I thought so.
And the best time to buy into real estate was always 20 years ago.
Who the fuck modded up the parent?! (Score:2, Informative)
Who the fuck modded up the parent comment?! It's a perfect example of how dumbed-down Slashdot has become lately, and how this dumbing down results in fucking idiotic comments, like the parent comment, getting incorrectly modded up.
DNS and TLS are separate, independent technologies.
One or more DNS requests will be made prior to a HTTP connection, encrypted or not, being made to a web server.
HTTPS certificates and encrypted HTTP connections can't do a damn thing about a DNS server returning an incorrect resu
Re:Who the fuck modded up the parent?! (Score:4, Interesting)
You clearly have no idea what you're talking about, so please refrain from subjecting us to your utter bullshit.
Neither do you, professor. Strict transport security [wikipedia.org] combined with public key pinning [wikipedia.org] would have mitigated the attack, for the most part at least.
Re: Who the fuck modded up the parent?! (Score:1)
Public key pinning has been deprecated due to being better as a DDOS vector than as a protection method and will be gone from future Chrome. What's left is HSTS which is so negligable for these cases (why are you even listening to port 80?) that parent is right.
Re: (Score:1)
> HTTPS certificates and encrypted HTTP connections can't do a damn thing
It's a perfect example of how dumbed-down Slashdot has become lately.
You can add a HSTS header to your HTTPS website to prevent later hijacking, provide the user has previously accessed to the website. And you can always preload the HSTS policy of your website to the SOURCE CODE of common web browsers (If you have a mission-critical website and haven't done this yet, apply it at https://hstspreload.org/ [hstspreload.org]). In addition, Firefox (since
Re: (Score:2)
I'm actually wondering.With https://letsencrypt.org/ [letsencrypt.org] letting you automagically get a SSL cert that is trusted by the browsers without warnings wouldn't anyone with control over your domain be able to look good for most browsers?
Re: (Score:1)
DNSSEC is supposed to handle this. DNSSEC would mean as long as the domain name registration (and thereby key registration with the parent domain) was safe, they wouldn't have been able to generate new DNS entries without signing them, so they couldn't have done anything with the dns server they hijacked.
Of course if they managed to get control of the DNS registration then that's another issue.
Any bets? (Score:2, Interesting)
Any bets this is who is behind it?
Kim Digs for Cybercrime Coin Sanctions Can’t Snatch [thecipherbrief.com]
And is that leading to this?
South Korea plans to ban cryptocurrency trading, rattles market [reuters.com]
Re: (Score:2)
Re: (Score:2)
Oh, I don't know about that. $400,000 isn't exactly chump change. Besides . . .
U.S. blames North Korea for 'WannaCry' cyber attack [reuters.com]
Re: (Score:2)
Re: (Score:2)
The point of both was to obtain money. $400,000 is a pretty good haul for limited work. What do you think the average take was for wannacry? I doubt it was $400,000. I doubt laundering it will be a big challenge for North Korea, North Korea is a criminal enterprise in itself. It is possible they won't have to do much if they plug it back into criminal activity on the dark web.
Re: (Score:3)
Let's be honest, it is all about dishonesty. What is the nature of the current cryptocurrency market, it's dishonesty, about cheating taxes, about ponzi scheme, it's about funding criminal operations, not all of it but well and truly sufficient of it to attract criminals to it in droves. That means criminal investors, criminal business and criminal employees. With regard to fraud in that environment, look not further than it's own members. First suspect in all cryptocurrency frauds, have to be it's employee
Re: (Score:2)
All of the things you name also apply to cash.
Cheese (Score:2)
the payoff for this is just too small to be worth their effort.
$400,000 buys a lot of cheese [newsweek.com].
Re: (Score:2)
After you launder it (losing significantly in fees and exchanges) etc I think you will find it buys very little cheese.
$200,000 isn't a lot of cheese of one guy?
I can't believe I didn't know about this (Score:2)
Reddit, Twitter, GitHub and the GalacticTalk forums? OMG, how did I miss this important information?
No worries... (Score:5, Insightful)
You can just call their bank and ask them to refund the fraudulent transfer... no?
Ok, how about filing an FDIC insurance cla... nope?
Ok, how about calling the police and having them start an invest... wait, they laughed at you over the phone? Well, that's just mean.
Maybe they can contact their local attorney and... they don't want to take the case because they can't even find the correct plantiff? Damn.
Well. fuck. Maybe this cryptocurrency fad isn't as great as they made it sound on Reddit.
Re: (Score:2)
Or ... Twitter, GitHub, the Stellar Community and GalacticTalk forums ...
Re: (Score:2)
The ledger and crypto currency thefts (Score:2)
So with most crypto currencies having a public, distributed ledger, how do thieves expect to pass off their stolen crypto coins? The ledger would clearly show any transfers to other wallets, would it not? So theoretically could the thieves be "id'd" in some fashion when they try to sell the coins to other users? I realize the ids are just hashes, but still if the exchanges have backups, they should be able to at least identify the stolen wallet ids, wouldn't they? While it might not be able to prevent t
Re: (Score:2)
It's completely possible to:
a) steal cryptocurrency
b) sit on it
c) wait for statute of limitations for relevant crimes to run out
d) then transfer it safely, knowing noone is paying attention any more or can do anything. if you stole enough, it's POSSIBLE the blockchain would get forked just to spite you... but probably not
I wonder how many thieves have made a fortune doing this, by virtue of the cryptocurrency exploding in value after the theft
Re: (Score:1)
Trading in stolen goods is an on-going crime, so the statute of limitations does not apply:
https://www.quora.com/If-a-cer... [quora.com]
Re: (Score:2)
Other methods if you can find a vendor that accepts bitcoin is you buy easily sold virtual goods like gift cards, game or software keys etc which then then hock to a one of the dodgy resellers like those on reddit. sure you lose a large chunk of what you stole but you get the money clean with a very long and difficult trail to track down.
The truly amusing part, if they decide to take the software key disposal method, is that some of those that got robbed may actually be funding the criminals that robbed them.
only idiots use online wallets (Score:2)