Slashdot Mirror

← Back to Stories (view on slashdot.org)

In a Remarkable Turn of Events, Hackers -- Not Users -- Lost Money in Attempted Cryptocurrency Exchange Heist (bleepingcomputer.com)

Posted by msmash on from the check-mate dept.

The hackers who attempted to hack Binance, one of the largest cryptocurrency exchanges on the Internet, have ended up losing money in a remarkable turn of events. It all began on Thursday, when thousands of user accounts started selling their Bitcoin and buying an altcoin named Viacoin (VIA). The incident, BleepingComputer reports, looked like a hack, and users reacted accordingly. But this wasn't a hack, or at least not your ordinary hack. The report adds: According to an incident report published by the Binance team, in preparation for yesterday's attack, the hackers ran a two-month phishing scheme to collect Binance user account credentials. Hackers used a homograph attack by registering a domain identical to binance.com, but spelled with Latin-lookalike Unicode characters. More particularly, hackers registered the [redacted].com domain -- notice the tiny dots under the "i" and "a" characters.

Phishing attacks started in early January, but the Binance team says it detected evidence that operations ramped up around February 22, when the campaign reached its peak. Binance tracked down this phishing campaign because the phishing pages would immediately redirect phished users to the real Binance login page. This left a forensic trail in referral logs that Binance developers detected. After getting access to several accounts, instead of using the login credentials to empty out wallets, hackers created "trading API keys" for each account. With the API keys in hand, hackers sprung their main attack yesterday. Crooks used the API keys to automate transactions that sold Bitcoin held in compromised Binance accounts and automatically bought Viacoin from 31 other Binance accounts that hackers created beforehand, and where they deposited Viacoin, ready to be bought. But hackers didn't know one thing -- Binance's secret weapon -- an internal risk management system that detected the abnormal amount of Bitcoin-Viacoin sale orders within the span of two minutes and blocked all transactions on the platform. Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals.

56 comments

  1. Unicode hack? by ls671 · · Score: 1

    So, it is kind of a Unicode hack?

    Unicode wasn't allowed initially in domain names if I recall correctly.

    --
    Everything I write is lies, read between the lines.
    1. Re:Unicode hack? by mysidia · · Score: 2

      PUNYCODE. Which was INITIALLY only allowed under Non-Latin Country Code TLDs.

      If you think about it.... it makes no sense to have (NON-LATIN BLOB).com or (NON-LATIN BLOB).net

      I'm not sure exactly who is to blame for PunyCode suddenly being enabled under additional Latin TLDs such as .COM,
      but I suspect it is either ICANN or Verisign we should blame for this stupid shit, And of course.... the browser makers such as Google and Firefox had to be complicit in changing from the original defaults which was to Refuse to interpret Punycode under Latin TLDs.

      So there are a BUNCH OF ENTITIES who are complicit in this because of Willfully ignoring the security problems Or deciding that supporting internationalized names under the US/Latin Suffixes is "more important".

    2. Re:Unicode hack? by Train0987 · · Score: 4, Interesting

      They allow it for the same reason we have 100 new TLD's. Profits. Now there are many new variant domains that a company must register in order to avoid squatters.

    3. Re:Unicode hack? by Tom · · Score: 5, Interesting

      They would never do such a thing! The new TLDs are all for the purpose of users and convenience and helpful to Internet users. That is why we got .aero as one of the first ones...

      The real sad part is that nobody stopped them. The good part is that the new TLDs are largely ignored. There was a short period where you would see people advertising their .biz addresses, then it stopped and went back to normal.

      So the world was telling ICANN to go and fuck themselves. Allowing Unicode and the entire attacks possible with it was their spiteful revenge.

      --
      Assorted stuff I do sometimes: Lemuria.org
    4. Re:Unicode hack? by Anonymous Coward · · Score: 0

      And it never *should* have been permitted, precisely due to domain squatting and fake(ish) domains that indistinguishable to normal eye. Much like Unicode in C++, its main point is to puff up the lines of code needed and paid for.

    5. Re:Unicode hack? by tattood · · Score: 3, Informative

      And of course.... the browser makers such as Google and Firefox had to be complicit in changing from the original defaults which was to Refuse to interpret Punycode under Latin TLDs.

      Brian Krebs wrote punycode yesterday. Chrome and Microsoft Edge and IE will not display the punycode, but rather the ascii representation of it. Firefox does show the punycode by default, but you can change it in settings.

      --
      WTB [sig], PST!!!
    6. Re:Unicode hack? by amorsen · · Score: 2

      The silly thing is that punycode solves exactly zero problems that simply making whitelists of utf-8 characters in domains would not have solved equally well, and every problem caused by whitelisted utf-8 characters also plagues punycode. Plus of course punycode adds its own set of problems.

      --
      Finally! A year of moderation! Ready for 2019?
    7. Re: Unicode hack? by Anonymous Coward · · Score: 0

      What rock have you been living under? This isnâ(TM)t new!

    8. Re:Unicode hack? by angel'o'sphere · · Score: 1

      Well, you can reach me via email at firstname.lastname@comsoft.aero ... I like that email address. The job is cool, too.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    9. Re:Unicode hack? by VanessaE · · Score: 1

      Wrong on all counts. Krebs wrote *about* the method yesterday, but Punycode is far older: https://tools.ietf.org/html/rf... (A. Costello, March 2003).

      Furthermore, you have it exactly backward: Chrome/IE/Edge DO display the non-Latin URL as Punycode (that is, rendered into normal ASCII gibberish). Firefox just displays it straight.

    10. Re:Unicode hack? by Anonymous Coward · · Score: 0

      See this article: Look-Alike Domains and Visual Confusion

    11. Re:Unicode hack? by thegarbz · · Score: 1

      The good part is that the new TLDs are largely ignored

      Not by everyone. Some of us actively block them.

  2. Yes by Anonymous Coward · · Score: 0

    But how did they lose money?

    1. Re:Yes by slazzy · · Score: 1

      They probably had accounts on Binance which were frozen...

      --
      Website Just Down For Me? Find out
    2. Re:Yes by bigwheel · · Score: 4, Informative

      FTFA: Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals. Furthermore, in the subsequent investigation, Binance identified the 31 accounts, reversed all transactions, and confiscated the original Viacoin funds that hackers deposited in the accounts.

    3. Re:Yes by Anonymous Coward · · Score: 0

      How did they identify the 31 accounts? Are they sure that there wasn't at least one user who just happened to deposit some Viacoin and try to sell it when the price went up? It sounds like Binance just stole some of their users money.

    4. Re:Yes by Anonymous Coward · · Score: 1

      So Binance stole Viacoin from the hackers... I'm conflicted about this.

    5. Re:Yes by Anonymous Coward · · Score: 1

      I wonder if the average cryptocurrency advocate will celebrate this today, and then months later wonder why he can't sell any of his currency during a downturn. The admins will of course be able to sell first, though...

    6. Re:Yes by stephanruby · · Score: 1

      In which case, they didn't lose the money for sure.

      They could also claim that their accounts got hacked but through a different attack vector.

    7. Re:Yes by jetkust · · Score: 3, Interesting

      Just ask them to come forward in person to claim them.

    8. Re:Yes by jbmartin6 · · Score: 1

      Apparently Binance had a risk management system which alerted on the abnormal activity and they were able to block it in time.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    9. Re:Yes by Locke2005 · · Score: 1

      Exactly! "Identify yourself IN PERSON, and we'll see about getting you your money back!"

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    10. Re:Yes by ark1 · · Score: 1

      This is actually pretty standard procedure. "We have detected abnormal activities on your account and have taken proactive measures to prevent potential damage. Please contact our lovely support.. @ we take your security very seriously"

  3. What the other cryptocurrency? by Anonymous Coward · · Score: 1

    How is the 2LipBulb cryptocurrency? Folks in the Netherlands swear by it.

  4. Reminds me of... by Anonymous Coward · · Score: 0

    ....when you lick a butthoal you lick it for life!!!

  5. Redacted? by bigwheel · · Score: 3, Funny

    Good thing TFS redacted the domain name. Now a person has to read TFA to see the text, and we know that will never happen.

    1. Re: Redacted? by LordKronos · · Score: 5, Funny

      It didn't even need to be redacted. This is slashdot. We don't support Unicode here.

    2. Re: Redacted? by pD-brane · · Score: 2

      That's why they redacted it!

    3. Re: Redacted? by nitehawk214 · · Score: 1

      Actually that is exactly why it was redacted, to avoid making Slashdot look foolish and backwards. The excerpt is directly ripped from the article with only that change.

      I would be surprised if it was the editor that did it, however. There used to be a link to see the original submission, but I can't find it. It was probably removed to avoid making the editors look foolish, too.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    4. Re: Redacted? by smallfries · · Score: 1

      Sö yöo såy

      --
      Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    5. Re:Redacted? by Anonymous Coward · · Score: 0

      It prevents a big site like Slashdot linking to the hacker's domain though and pushing it up in search engine rankings as a result.

  6. Die thief die! by Anonymous Coward · · Score: 0

    Somewhere there is a Black Hat that's gonna be dead if some money doesn't get paid back. The big boys don't like it when you lose their money in a hack gone bad. So what happens to the money. Does Binance keep it? Turn it over (read give to the police fund) to the government?
    The banks? Who?
    I'd say it goes to charity.

  7. Re:Unicode hack? - English only Please! by anon+mouse-cow-aard · · Score: 3, Informative

    I bet you only speak English. For people who speak other languages, Unicode is rather useful. Yes, different languages use different character sets that can resemble each other. Yes, people can be fooled, but security doesnt trump the ability to have natural looking URLs in the native languages of most of the planet. télétoon.com (doesnt work) is much more natural than teletoon.com to a French speaker. At least vidéotron.com works (it gets rewritten to canonical videotron.com) There are plenty of legitimate uses for that feature. Add to that that most western european language speakers are completely used to accented characters, so usually the only ones likely to be fooled are the English only speakers. So you want to limit the web to English DNS entries because English speaking people dont notice accented characters. Sorry, world wont comply.

  8. Browser alert on Unicode urls by enriquevagu · · Score: 2

    I almost never visit (legit) sites using unicode characters. I'd love my browser warning me whenever I visit one -- just in case.

    1. Re:Browser alert on Unicode urls by angel'o'sphere · · Score: 1

      Which browser do you use, that it gives you a warning?
      And is that warning about the URL or the sites contents?

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    2. Re:Browser alert on Unicode urls by Anonymous Coward · · Score: 0

      He said, "I'd love my browser warning me whenever I visit one -- just in case.".

      That is a contraction for 'I would'.

    3. Re:Browser alert on Unicode urls by mu22le · · Score: 2

      I almost never visit (legit) sites using unicode characters. I'd love my browser warning me whenever I visit one -- just in case.

      Check out IDND https://lingvo.org/idnd

    4. Re:Browser alert on Unicode urls by Anonymous Coward · · Score: 0

      In FireFox, the about:config option is network.IDN_show_punycode

    5. Re:Browser alert on Unicode urls by thegarbz · · Score: 1

      I almost never visit (legit) sites using unicode characters.

      I have a related question: For English speaking content, are there any legit sites using unicode characters?

    6. Re:Browser alert on Unicode urls by tobiah · · Score: 1

      cool, thanks

      --
      "The ability to delude yourself may be an important survival tool" - Jane Wagner -
  9. For a change, AI did NOT make news by Provocateur · · Score: 1

    Not A.I. but B.I. as in Binance Intelligence.

    I will wait for the movie version on Netflix, but Kevin Spacey can pass on this role.

    --
    WARNING: Smartphones have side effects--most of them undocumented.
  10. Re:Unicode hack? - English only Please! by Anonymous Coward · · Score: 0

    No one pulled your string, the owners of the internet are talking here.

    If you want your unneeded characters spin up minitel.

  11. Saw this happen IRL once with a safe-cracker by bubblegoose · · Score: 4, Interesting

    I had a job installing security systems many years ago. There was a grocery store in a slightly isolated area, it had an alarm hooked up with an outside siren and connected to the phone line. It was the 1980s, there were no cellular backups. The would be safe cracker pulled the outside siren off the wall with his vehicle and cut all of the phone lines, then he broke in and started working on the safe ignoring the inside siren. He had about $1000 worth of power tools in to the back office and started to drill the safe. He didn't count on the baker coming in early to get a start on the day. When the baker showed up, the robber bugged out the back door. He left behind all of his nice tools. He did cause the business some hardship, they couldn't access the contents of the safe for about 3 days until the locksmith could replace the parts he had ruined. Insurance paid to fix his safe and alarm system, after that they had their phone lines buried so they couldn't be cut as easily.

    --
    I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
    1. Re:Saw this happen IRL once with a safe-cracker by thegarbz · · Score: 1

      I remember a story in Australia where a guy robbed a petrol station at night. He left the car running. Another customer saw what was happening and took the car keys and walked away. The guy made off with like $200 but had to abandon his far more expensive car when he heard sirens.

  12. Re:Unicode hack? - English only Please! by Baloroth · · Score: 2

    Which is precisely why the GP suggested restricting website character sets by TLD. If you want to have télétoon as your website address, make it télétoon.fr (or télétoon.com.fr), not télétoon.com, as .com is (in practice) a US-centric TLD. This isn't hard and it isn't discriminatory, but the registrars a) want to blackmail website owners into registering more addresses, b) don't give two shits about security, and to top it off c) like virtue-signaling about how open and accepting they are to other cultures (the latter is actually Mozilla's explicit explanation for not displaying punycode for anything ever, because apparently peoples feelings are more important to them than their users security. I don't give a shit if people want their website under .com TLD, what people want is completely and totally irrelevant: I want a billion dollars, doesn't mean Mozilla should be required to give it to me.)

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  13. Re:Unicode hack? - English only Please! by Anonymous Coward · · Score: 0

    > So you want to limit the web to English DNS entries because English speaking people dont notice accented characters. Sorry, world wont comply.

    Sorry fucker, DNS entries are limited to ASCII. What you are seeing is the punycode transcription in vulnerable browsers (any browser that displays unicode is vulnerable).

    English lost the thorn and eth for international compliance with French and German printing presses. You can do without your assorted dicks and dots to prevent scams.

  14. Anyone can print their own money now by Anonymous Coward · · Score: 0

    Anyone can print their own money now. It is just a matter of finding a bunch of people to buy them from you. Money out of thin air!
    (Of course, a government, can also print money, which has the authority (and reason)! So it is really nothing like anybody else!)

    1. Re:Anyone can print their own money now by Locke2005 · · Score: 2

      This is known as the "greater fool theory". Just find someone stupider than you to buy it from you!

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    2. Re:Anyone can print their own money now by Locke2005 · · Score: 1

      And if you can't find anybody to buy it from you, guess what? The greater fool is YOU!

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    3. Re:Anyone can print their own money now by slew · · Score: 1

      And if you can't find anybody to buy it from you, guess what? The greater fool is YOU!

      “If you sit in on a poker game and don’t see a sucker, get up. You’re the sucker.” - Whispering Saul

    4. Re:Anyone can print their own money now by Anonymous Coward · · Score: 0

      I hate it when people incorrectly attribute old saying. This existed prior to Whispering Saul or Warren Buffett (two most commonly incorrected attributed for this), Buffett was even quoted in the seventies as saying it wasn't his, it came from poker.

  15. Re:Unicode hack? - English only Please! by anon+mouse-cow-aard · · Score: 1
    The companies given above are in North America, not .fr, and use of .com for commercial enterprises is pretty universal in Canada, and a lot of their clients are English speaking. Also, there is McGill.edu .net, .org, and dw.com (which is German.) There are many many non-us uses of these domains, and that suited people well for a long time. Like it or not. .com is not American. .com means a business, and is generally used as a multi-national domain, not U.S. specific. Endless examples: seat.com (Spanish division of VW, good luck buying one in the US.), Softbank.com (Japanese), peugeot.com, citroen.com, mercedes-benz.com (is the international web site, not the American one.)

    In any event, even if you had an American domain, that doesnt necessarily mean its English. Other language television networks or groups in the US should only use English names? telelatino.com, sinovision.net, etc... Country != language. Should dw.com actually be dw.us or dw.com.uk because it is in English, even though it is a German broadcaster? Your position doesnt exten very well either, what about .tv ? .org, .net should it be English only? or other languages allowed? How are people going to know whether a domain allows international characters or not? Now youre going to say .fr domains should be in FR, but there are lots of multilingual countries: Canada (2), Belgium (2) , Switzerland(3), India (22).

    Even if you grant everything you say, everybody else in the world (the vast majority of the world's population) would still have the problem of similar looking domains, so you are asking for an English specific solution, that helps only English speaking people, and makes them less able to deal with domains that are outside the intentially crippled ones reserved for English language usage. So people who are saying "no internaltional characters on this 1 (2? 3?) TLD are just advocating a ghetto that makes people more vulnerable when the TLD is not one of the select few.

  16. Re:Unicode hack? - English only Please! by Anonymous Coward · · Score: 0

    Why would you need unicode characters for European language URLs?

    For Arabic, Thai or various other languages that have little or nothing in common with the alphabet we use in English, it would make some sense, but for European languages, you're mostly losing the accents and the speakers themselves tend to have workarounds from the days when typewriters only had the characters for one language and not all of them.

  17. Let me be the first to say... by slashmydots · · Score: 0

    Hehehehehehehe. But seriously, why the hell would they keep their stolen coins in accounts on the same site they're stealing from?! THAT'S INSANE!

  18. krypto-kurrency by Anonymous Coward · · Score: 0
    krypto-kurrency is still a thing? its 2018, not 1849.

    Miner Miner Fourty Niner.

    Make 'murika Greedy Again.

  19. Re:Unicode hack? - English only Please! by Anonymous Coward · · Score: 0

    yet all air traffic is english. as it should be. so should all the rest of the world.