Bittrex Account robbed of $1,500.00
Good Morning,
I've been robbed. Yesterday, Friday August 12th, an unauthorized person(s) entered my Bittrex account, cancelled my Open sell orders of 3.22411950 Bitcoin Cash and 50053.58520492 Burst and sold them at the the current bid prices to then siphon out of my account 0.39600000 BTC, at current trading that stands at a touch under $1500. The whole process took the attackers roughly 15 minutes, it well executed and I want to warn others to stop the possibility of it happening to them.
It's a bitter pill for me to swallow as by day I am a network engineer, Cisco certified, I've studied for CEH and have been using network devices to stop what happened to me happening to users of our corporate WAN for the past 10 years. I've lost some pride and quite frankly I am a bit embarrassed that this has happened but the experience needs to be shared for the greater good against the evil.
So what happened, excuses aside I am going to detail the process from start to finish, then look at what I did wrong (because I missed some warning signs) and then I will look at other aspects out of my control that were beneficial to the hackers.
I was presented then with what I now know to be a fake bittrex.com login page, below to the left is the fake login screen and to the right is the correct login screen. I proceeded to login.
I was then shown a browser security check screen (below) which was not up for long 1 - 2 minutes max and then asked for my 2FA code at which point I was presented with the browser security screen check again.
After a few minutes of the 2FA code being entered I twigged that something wasn't right so I killed the PaleMoon session and fired up Chromium and went to Bittrex directly via URL and logged in. I went to BCC initially and saw no open orders, I then checked Burst again no open orders so I went to wallets and the I had 0.39649509 BTC showing which for a second I was trying to figure out if my orders had been met.
Then everything then clicked in my brain and I knew I was being robbed, the hackers were obviously in the account at the same time as I was and were looking to now move the BTC, so I went to the support section to see if was possible to make contact with Bittrex, nothing was strikingly obvious but I somehow managed to disable my account, see Bittrex Logs below. ( as a side note I was unable to retrace the 'Disable My Account' steps again but it did apparently work as depicted in the logs below, to get the 'Disable My Account' screenshot I used Google to bring up the page).
* Bittrex Timestamps are -1 hour GMT
However, despite the fact I thought I had disabled the account, it told me it was disabled and it showed disbaled in the logs the funds still left my account and hit the Blockchain 3 minutes later https://blockchain.info/address/17Jc3QriP1VuH7wWCtE3uwATnEFUzKisEH
In among all the chaos I received a notification email stating my API keys had changed;
I emailed Bittrex as advised in the security email but got a reply saying log it through the 'Submit a Request' form.
I logged a ticket with Bittrex through the contact form yesterday at 17:20pm, as yet I've not heard back.
For something quite important like an account being compromised it seems I was going in circles, perhaps I should have familiarized myself with the process for this exact type of situation.
So analyzing what happened, my mistakes were as follows;
1. I used a search engine instead of accessing the Bittrex directly. I never usually do this, I switched from Chromium to PaleMoon that morning as I was seeing some lag, the PaleMoon default page was set to use Duckduckgo.com (also I do not usually use Duckduckgo.com) and for some reason (probably distraction \ multitasking) I searched Bittrex via Duckduckgo.com
2. The top result was an 'AD' I shouldn't have clicked on this but I didn't notice it.
3. I didn't thoroughly check the cert (although I did take a quick look at it), I'll discuss and examine the cert in more detail later.
4. The URL was different, the fake site omitted /account/login and I did not notice this initially either.
What helped the attackers:
1. The disable account setting does not appear to do anything in Bittrex. Funds still left my account and I was able to access it multiple times after despite the fact it was meant to be 'locked' for 24 hours from me hitting the button.
2. Although you can IP white list on Bittrex (not useful for me as my ISP IP is dynamic) the fact that for the first time persons entered my account from IP's in Poland did not flag any warning signs to the system. Geo IP blocking would be a better option (although I realize attackers could use a VPN it would make it more tricky ientifying the host country of the account holder and potentially buy some time)>
3. I did not receive an withdrawal email notification to my email address. Ok, so 2FA was enabled but it's clearly susceptible to clever social engineering \ phishing type attacks. Turning one layer of protection on should not by default turn another layer off. I would have been able to stop the transaction if I were still getting email notifications. Multiple levels of security is much better in any situation, the trade off is convenience (which doesn't compare to losing a shed load of money).
4. They were able to have their website purport to be bittrex.com, even the cert showed this.
5. There is not quick support on hand from Bittrex, you need to go through a maze of questions to fill out a form by which time your account would probably already be empty. A kill switch (that works) would be nice.
Looking at the attack and what else could be done ?
1. So looking at the cert in more detail I was initially puzzled because when I checked the cert during my fake sign in I got this message when I clicked on the cert info:
However using IE I was able to look at the subject alternative name and see the cert was dodgy by the other sites listed in there, below left is the fake site and below right the real one.
What puzzles me is how the cert was issued by a Trusted CA such as Comodo. When I have requested certs before from Comodo all SAN domains must be verified (usually with a phone call and email from admin \ administrator of the domain holder) before issuance. I'll get in touch with Comodo to see what happened here (unless someone can enlighten me?).
When at work I have often say to our 1st line techs and 2nd line engineers that if your public facing netblock is fully patched, utilizing things like a DMZ, NAT and reverse proxies then the weakest link is probably going to be a human.
Ironically I proved my own point and lost a load of crypto because of it.
Thanks for reading and if you use or know anyone who uses Bittrex please share, I would hate someone else to go through what I did.
As you know, going anywhere important should always be done directly via address bar. once you clicked on an ad instead, it was game over.
Yep, I know, a costly mistake to say the least.
Just like you, my bread and butter is Cyber Security.
You simply made a common error of most victims on the internet, clicking a link on a web page. Not a fan of duck search engine so I can't share any info.
Consider it as hard lesson learned. And regarding your funds, good luck to recover it but I doubt it.
Cheers for now,
@Yehey
I know .. I backed out of something recently after thinking twice .. but know it is convenient and the crooks know that also. Thanks for reminding me of that point. @crytoreturn
Beware of this links on search engines which has an ad label on it most are used for phishing.
Oh man, I'm sorry that really sucks.
Thanks for sharing your story though, hopefully it helps someone else avoid the same situation.
Wait a second, even if the attacker got into your bittrex, shouldn't he had to hack your email adress too, for withdrawing your funds? In that case I suggest you to change your email password or change directly email provider, for better security.
It appears email withdrawal notifications were turned off automatically when I switched to 2FA? I didn't realize. That's why I said they should not be turning off a layer of protection in favor of another layer, multiple layers of protection is far better. To be clear my email account was not hacked, I could have stopped this is the notifications were on. Thinking about it the attackers could have disabled this feature when they gained access to my Bittrex account.
I gotta admit they have been smart, in this case, yeah I saw a couple of "better" attempt at phishing, using ascii letters for replacing the "i" with something really similar, but I would have never clicked on an ad, it's even if it comes from ducky. :(
Indeed, inexcusable on my part.
How do people steal for a living and think it's okay? Really puzzled by people's justifications for theft and dishonesty.
Whoa... I guess it wouldn't hurt to check mine!
The whole problem as you clicked not a search result, but an add.
The name is almost the same, but they use "l" instead of a "i" in the URL.
Really hard to distinguish, I stared long time on the image...
Anyway thanks for sharing this info
as I see now you made $89 with this post, I hope this can be considered as modest compensation)
I'm sorry about your loss man.
About the Comodo and certificate ... it's nothing wrong from my point of view.
Someone registered SSL certificate for a domain named bLttrex. It's our brains that are "reading" a letter L as a letter I. It's a common phishing tactics.
Use your bookmarks to get to the crypto exchanges is easy and quite effective way to eliminate false addresses.
Omg I need my eyes tested, I didn't see that. Thanks for pointing it out !
While it's a tough pill to swallow, really appreciate the detailed info. Hopefully this can stop future attacks to anyone else. I myself greatly appreciate the info being new to all this. Thank you!
Congratulations @cyrixboy! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP