Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Hijack DNS For Lumens Cryptocurrency Site 'BlackWallet', Steal $400,000 (bleepingcomputer.com)

Posted by EditorDavid on from the taking-the-money-and-running dept.

An anonymous reader quotes BleepingComputer: Unknown hackers (or hacker) have hijacked the DNS server for BlackWallet.co, a web-based wallet application for the Stellar Lumen cryptocurrency (XLM), and have stolen over $400,000 from users' accounts. The attack happened late Saturday afternoon (UTC timezone), January 13, when the attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to their own server. "The DNS hijack of Blackwallet injected code," said Kevin Beaumont, a security researcher who analyzed the code before the BlackWallet team regained access over their domain and took down the site. "If you had over 20 Lumens it pushes them to a different wallet," Beaumont added...

According to Bleeping Computer's calculations, as of writing, the attacker collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate. The BlackWallet team and other XLM owners have tried to warn users via alerts on Reddit, Twitter, GitHub, the Stellar Community and GalacticTalk forums, but to no avail, as users continued to log into the rogue BlackWallet.co domain, enter their credentials, and then see funds mysteriously vanish from their wallets.

28 of 95 comments (clear)

  1. XML by Anonymous Coward · · Score: 1

    "at the current XML/USD exchange rate"

    Microsoft's going to be happy with their XML (ab)use!

  2. A fool and his tulip is soon separated by Anonymous Coward · · Score: 1

    Unless he finds a bigger fool to sell it too before the bubble bursts.

    Yes I am sad I didn't get in on this bubble at the beginning but not that sad. Let's face it: Bitcoin is no longer behaving like a currency. It's now a speculative game like tulips.

    Alas I am late to this game and you should never enter a market when it looks like the bubble is about to burst.

    Not that sad anyway because it's a gamble. If you're kicking yourself for missing the Bitcoin bubble why not invest in some other cryptocurrency now? Yeah. I thought so.

    1. Re: A fool and his tulip is soon separated by Highdude702 · · Score: 1

      Ethereum is rising, slowly.. but rising.

    2. Re:A fool and his tulip is soon separated by godel_56 · · Score: 1

      Unless he finds a bigger fool to sell it too before the bubble bursts.

      Yes I am sad I didn't get in on this bubble at the beginning but not that sad. Let's face it: Bitcoin is no longer behaving like a currency. It's now a speculative game like tulips.

      Alas I am late to this game and you should never enter a market when it looks like the bubble is about to burst. Not that sad anyway because it's a gamble. If you're kicking yourself for missing the Bitcoin bubble why not invest in some other cryptocurrency now? Yeah. I thought so.

      And the best time to buy into real estate was always 20 years ago.

  3. Any bets? by cold+fjord · · Score: 1, Interesting

    Any bets this is who is behind it?

    Kim Digs for Cybercrime Coin Sanctions Can’t Snatch

    And is that leading to this?

    South Korea plans to ban cryptocurrency trading, rattles market

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    1. Re:Any bets? by bloodhawk · · Score: 1

      the payoff for this is just too small to be worth their effort. personally I would hazard a bet at either an inside job or a lone individual. The risks vs payoff are just to small for the more significant parties to be involved.

    2. Re:Any bets? by cold+fjord · · Score: 1

      Oh, I don't know about that. $400,000 isn't exactly chump change. Besides . . .

      U.S. blames North Korea for 'WannaCry' cyber attack

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    3. Re:Any bets? by rtb61 · · Score: 2

      Let's be honest, it is all about dishonesty. What is the nature of the current cryptocurrency market, it's dishonesty, about cheating taxes, about ponzi scheme, it's about funding criminal operations, not all of it but well and truly sufficient of it to attract criminals to it in droves. That means criminal investors, criminal business and criminal employees. With regard to fraud in that environment, look not further than it's own members. First suspect in all cryptocurrency frauds, have to be it's employees and business operators, they have to prove their innocence, not requiring them, 100% enables them to cheat the system, they designed and control, the required inside knowledge, to exploit the system internally and externally. Shit wages, not a problem, just fill your pockets, owners, managers, tech staff, even janitors (people leave passwords all over). It is the nature of that business, that they must prove their innocence, otherwise you schmucks are going to get ripped of again and again and again.

      --
      Chaos - everything, everywhere, everywhen
    4. Re:Any bets? by gravewax · · Score: 1

      WannaCry was hugely disruptive, this by comparison is a blip that affected almost nobody. It also is only 400k PRIOR to laundering, the process of laundering and extracting that money will take a huge chunk out of it.

    5. Re:Any bets? by cold+fjord · · Score: 1

      The point of both was to obtain money. $400,000 is a pretty good haul for limited work. What do you think the average take was for wannacry? I doubt it was $400,000. I doubt laundering it will be a big challenge for North Korea, North Korea is a criminal enterprise in itself. It is possible they won't have to do much if they plug it back into criminal activity on the dark web.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    6. Re:Any bets? by Agripa · · Score: 1

      All of the things you name also apply to cash.

  4. I can't believe I didn't know about this by PopeRatzo · · Score: 1

    The BlackWallet team and other XLM owners have tried to warn users via alerts on Reddit, Twitter, GitHub, the Stellar Community and GalacticTalk forums

    Reddit, Twitter, GitHub and the GalacticTalk forums? OMG, how did I miss this important information?

    --
    You are welcome on my lawn.
  5. No worries... by supremebob · · Score: 4, Insightful

    You can just call their bank and ask them to refund the fraudulent transfer... no?

    Ok, how about filing an FDIC insurance cla... nope?

    Ok, how about calling the police and having them start an invest... wait, they laughed at you over the phone? Well, that's just mean.

    Maybe they can contact their local attorney and... they don't want to take the case because they can't even find the correct plantiff? Damn.

    Well. fuck. Maybe this cryptocurrency fad isn't as great as they made it sound on Reddit.

    1. Re:No worries... by CaptainDork · · Score: 1

      Or ... Twitter, GitHub, the Stellar Community and GalacticTalk forums ...

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:No worries... by euxneks · · Score: 1

      This is exactly like if you stored cash at somebody else's house and they got robbed. Do they have insurance? Did they say they would cover any theft of your money? If not, you're probably SOL.

      --
      in girum imus nocte et consumimur igni
  6. Who the fuck modded up the parent?! by Anonymous Coward · · Score: 2, Informative

    Who the fuck modded up the parent comment?! It's a perfect example of how dumbed-down Slashdot has become lately, and how this dumbing down results in fucking idiotic comments, like the parent comment, getting incorrectly modded up.

    DNS and TLS are separate, independent technologies.

    One or more DNS requests will be made prior to a HTTP connection, encrypted or not, being made to a web server.

    HTTPS certificates and encrypted HTTP connections can't do a damn thing about a DNS server returning an incorrect result, regardless of whether this is done maliciously or not.

    In fact, some certificate authorities treat control over the DNS records for a web site as being sufficient proof of ownership to grant a certificate for that web site.

    So an attacker who controls the DNS records of a web site could potentially obtain a certificate that browsers would treat as valid.

    You clearly have no idea what you're talking about, so please refrain from subjecting us to your utter bullshit.

    1. Re:Who the fuck modded up the parent?! by Anonymous Coward · · Score: 4, Interesting

      You clearly have no idea what you're talking about, so please refrain from subjecting us to your utter bullshit.

      Neither do you, professor. Strict transport security combined with public key pinning would have mitigated the attack, for the most part at least.

    2. Re:Who the fuck modded up the parent?! by Anonymous Coward · · Score: 1

      > HTTPS certificates and encrypted HTTP connections can't do a damn thing

      It's a perfect example of how dumbed-down Slashdot has become lately.

      You can add a HSTS header to your HTTPS website to prevent later hijacking, provide the user has previously accessed to the website. And you can always preload the HSTS policy of your website to the SOURCE CODE of common web browsers (If you have a mission-critical website and haven't done this yet, apply it at https://hstspreload.org/). In addition, Firefox (since 59) and Chrome will mark every single HTTP website as "insecure", and it can also be a stop-gap to warn a proportion of users.

      Sure, the protection is still limited to new browsers, and HSTS preloading has a delay of 3 to 4 months, but the HTTPS is still far from best practice. Stop being overreacting and claiming it "can't do a damn thing".

      And don't put CRLF to every single sentence you are starting, it makes people believe you are coming from Reddit.

    3. Re: Who the fuck modded up the parent?! by Anonymous Coward · · Score: 1

      Public key pinning has been deprecated due to being better as a DDOS vector than as a protection method and will be gone from future Chrome. What's left is HSTS which is so negligable for these cases (why are you even listening to port 80?) that parent is right.

  7. Re:Whither HTTPS? by sodul · · Score: 1

    I'm actually wondering.With https://letsencrypt.org/ letting you automagically get a SSL cert that is trusted by the browsers without warnings wouldn't anyone with control over your domain be able to look good for most browsers?

  8. Re:Whither HTTPS? by Anonymous Coward · · Score: 1

    DNSSEC is supposed to handle this. DNSSEC would mean as long as the domain name registration (and thereby key registration with the parent domain) was safe, they wouldn't have been able to generate new DNS entries without signing them, so they couldn't have done anything with the dns server they hijacked.
    Of course if they managed to get control of the DNS registration then that's another issue.

  9. The ledger and crypto currency thefts by caseih · · Score: 1

    So with most crypto currencies having a public, distributed ledger, how do thieves expect to pass off their stolen crypto coins? The ledger would clearly show any transfers to other wallets, would it not? So theoretically could the thieves be "id'd" in some fashion when they try to sell the coins to other users? I realize the ids are just hashes, but still if the exchanges have backups, they should be able to at least identify the stolen wallet ids, wouldn't they? While it might not be able to prevent the network from processing transactions from these stolen wallets, there should be at least a trace or indication that these stolen coins are moving.

    Every time I hear about a theft I wonder about this.

    1. Re:The ledger and crypto currency thefts by mentil · · Score: 1

      It's completely possible to:
      a) steal cryptocurrency
      b) sit on it
      c) wait for statute of limitations for relevant crimes to run out
      d) then transfer it safely, knowing noone is paying attention any more or can do anything. if you stole enough, it's POSSIBLE the blockchain would get forked just to spite you... but probably not

      I wonder how many thieves have made a fortune doing this, by virtue of the cryptocurrency exploding in value after the theft

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    2. Re:The ledger and crypto currency thefts by pcr_teacher · · Score: 1

      Trading in stolen goods is an on-going crime, so the statute of limitations does not apply:
      https://www.quora.com/If-a-cer...

    3. Re:The ledger and crypto currency thefts by bloodhawk · · Score: 1

      Other methods if you can find a vendor that accepts bitcoin is you buy easily sold virtual goods like gift cards, game or software keys etc which then then hock to a one of the dodgy resellers like those on reddit. sure you lose a large chunk of what you stole but you get the money clean with a very long and difficult trail to track down.

      The truly amusing part, if they decide to take the software key disposal method, is that some of those that got robbed may actually be funding the criminals that robbed them.

  10. Cheese by Frosty+Piss · · Score: 1

    the payoff for this is just too small to be worth their effort.

    $400,000 buys a lot of cheese.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Cheese by Frosty+Piss · · Score: 1

      After you launder it (losing significantly in fees and exchanges) etc I think you will find it buys very little cheese.

      $200,000 isn't a lot of cheese of one guy?

      --
      If you want news from today, you have to come back tomorrow.
  11. only idiots use online wallets by slashmydots · · Score: 1

    The title says it all. My Siacoins are in my local wallet and it's like 4GB of data to hold the entire blockchain. Stop being lazy, people!