Slashdot Mirror
In a Remarkable Turn of Events, Hackers -- Not Users -- Lost Money in Attempted Cryptocurrency Exchange Heist (bleepingcomputer.com)
The hackers who attempted to hack Binance, one of the largest cryptocurrency exchanges on the Internet, have ended up losing money in a remarkable turn of events. It all began on Thursday, when thousands of user accounts started selling their Bitcoin and buying an altcoin named Viacoin (VIA). The incident, BleepingComputer reports, looked like a hack, and users reacted accordingly. But this wasn't a hack, or at least not your ordinary hack. The report adds: According to an incident report published by the Binance team, in preparation for yesterday's attack, the hackers ran a two-month phishing scheme to collect Binance user account credentials. Hackers used a homograph attack by registering a domain identical to binance.com, but spelled with Latin-lookalike Unicode characters. More particularly, hackers registered the [redacted].com domain -- notice the tiny dots under the "i" and "a" characters.
Phishing attacks started in early January, but the Binance team says it detected evidence that operations ramped up around February 22, when the campaign reached its peak. Binance tracked down this phishing campaign because the phishing pages would immediately redirect phished users to the real Binance login page. This left a forensic trail in referral logs that Binance developers detected. After getting access to several accounts, instead of using the login credentials to empty out wallets, hackers created "trading API keys" for each account. With the API keys in hand, hackers sprung their main attack yesterday. Crooks used the API keys to automate transactions that sold Bitcoin held in compromised Binance accounts and automatically bought Viacoin from 31 other Binance accounts that hackers created beforehand, and where they deposited Viacoin, ready to be bought. But hackers didn't know one thing -- Binance's secret weapon -- an internal risk management system that detected the abnormal amount of Bitcoin-Viacoin sale orders within the span of two minutes and blocked all transactions on the platform. Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals.
Phishing attacks started in early January, but the Binance team says it detected evidence that operations ramped up around February 22, when the campaign reached its peak. Binance tracked down this phishing campaign because the phishing pages would immediately redirect phished users to the real Binance login page. This left a forensic trail in referral logs that Binance developers detected. After getting access to several accounts, instead of using the login credentials to empty out wallets, hackers created "trading API keys" for each account. With the API keys in hand, hackers sprung their main attack yesterday. Crooks used the API keys to automate transactions that sold Bitcoin held in compromised Binance accounts and automatically bought Viacoin from 31 other Binance accounts that hackers created beforehand, and where they deposited Viacoin, ready to be bought. But hackers didn't know one thing -- Binance's secret weapon -- an internal risk management system that detected the abnormal amount of Bitcoin-Viacoin sale orders within the span of two minutes and blocked all transactions on the platform. Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals.
FTFA: Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals. Furthermore, in the subsequent investigation, Binance identified the 31 accounts, reversed all transactions, and confiscated the original Viacoin funds that hackers deposited in the accounts.
And of course.... the browser makers such as Google and Firefox had to be complicit in changing from the original defaults which was to Refuse to interpret Punycode under Latin TLDs.
Brian Krebs wrote punycode yesterday. Chrome and Microsoft Edge and IE will not display the punycode, but rather the ascii representation of it. Firefox does show the punycode by default, but you can change it in settings.
WTB [sig], PST!!!
I bet you only speak English. For people who speak other languages, Unicode is rather useful. Yes, different languages use different character sets that can resemble each other. Yes, people can be fooled, but security doesnt trump the ability to have natural looking URLs in the native languages of most of the planet. télétoon.com (doesnt work) is much more natural than teletoon.com to a French speaker. At least vidéotron.com works (it gets rewritten to canonical videotron.com) There are plenty of legitimate uses for that feature. Add to that that most western european language speakers are completely used to accented characters, so usually the only ones likely to be fooled are the English only speakers. So you want to limit the web to English DNS entries because English speaking people dont notice accented characters. Sorry, world wont comply.