Good Morning,
I've been robbed. Yesterday, Friday August 12th, an unauthorized person(s) entered my Bittrex account, cancelled my Open sell orders of 3.22411950 Bitcoin Cash and 50053.58520492 Burst and sold them at the the current bid prices to then siphon out of my account 0.39600000 BTC, at current trading that stands at a touch under $1500. The whole process took the attackers roughly 15 minutes, it well executed and I want to warn others to stop the possibility of it happening to them.
It's a bitter pill for me to swallow as by day I am a network engineer, Cisco certified, I've studied for CEH and have been using network devices to stop what happened to me happening to users of our corporate WAN for the past 10 years. I've lost some pride and quite frankly I am a bit embarrassed that this has happened but the experience needs to be shared for the greater good against the evil.
So what happened, excuses aside I am going to detail the process from start to finish, then look at what I did wrong (because I missed some warning signs) and then I will look at other aspects out of my control that were beneficial to the hackers.
I was presented then with what I now know to be a fake bittrex.com login page, below to the left is the fake login screen and to the right is the correct login screen. I proceeded to login.
I was then shown a browser security check screen (below) which was not up for long 1 - 2 minutes max and then asked for my 2FA code at which point I was presented with the browser security screen check again.
After a few minutes of the 2FA code being entered I twigged that something wasn't right so I killed the PaleMoon session and fired up Chromium and went to Bittrex directly via URL and logged in. I went to BCC initially and saw no open orders, I then checked Burst again no open orders so I went to wallets and the I had 0.39649509 BTC showing which for a second I was trying to figure out if my orders had been met.
Then everything then clicked in my brain and I knew I was being robbed, the hackers were obviously in the account at the same time as I was and were looking to now move the BTC, so I went to the support section to see if was possible to make contact with Bittrex, nothing was strikingly obvious but I somehow managed to disable my account, see Bittrex Logs below. ( as a side note I was unable to retrace the 'Disable My Account' steps again but it did apparently work as depicted in the logs below, to get the 'Disable My Account' screenshot I used Google to bring up the page).
* Bittrex Timestamps are -1 hour GMT
However, despite the fact I thought I had disabled the account, it told me it was disabled and it showed disbaled in the logs the funds still left my account and hit the Blockchain 3 minutes later https://blockchain.info/address/17Jc3QriP1VuH7wWCtE3uwATnEFUzKisEH
In among all the chaos I received a notification email stating my API keys had changed;
I emailed Bittrex as advised in the security email but got a reply saying log it through the 'Submit a Request' form.
I logged a ticket with Bittrex through the contact form yesterday at 17:20pm, as yet I've not heard back.
For something quite important like an account being compromised it seems I was going in circles, perhaps I should have familiarized myself with the process for this exact type of situation.
So analyzing what happened, my mistakes were as follows;
1. I used a search engine instead of accessing the Bittrex directly. I never usually do this, I switched from Chromium to PaleMoon that morning as I was seeing some lag, the PaleMoon default page was set to use Duckduckgo.com (also I do not usually use Duckduckgo.com) and for some reason (probably distraction \ multitasking) I searched Bittrex via Duckduckgo.com
2. The top result was an 'AD' I shouldn't have clicked on this but I didn't notice it.
3. I didn't thoroughly check the cert (although I did take a quick look at it), I'll discuss and examine the cert in more detail later.
4. The URL was different, the fake site omitted /account/login and I did not notice this initially either.
What helped the attackers:
1. The disable account setting does not appear to do anything in Bittrex. Funds still left my account and I was able to access it multiple times after despite the fact it was meant to be 'locked' for 24 hours from me hitting the button.
2. Although you can IP white list on Bittrex (not useful for me as my ISP IP is dynamic) the fact that for the first time persons entered my account from IP's in Poland did not flag any warning signs to the system. Geo IP blocking would be a better option (although I realize attackers could use a VPN it would make it more tricky ientifying the host country of the account holder and potentially buy some time)>
3. I did not receive an withdrawal email notification to my email address. Ok, so 2FA was enabled but it's clearly susceptible to clever social engineering \ phishing type attacks. Turning one layer of protection on should not by default turn another layer off. I would have been able to stop the transaction if I were still getting email notifications. Multiple levels of security is much better in any situation, the trade off is convenience (which doesn't compare to losing a shed load of money).
4. They were able to have their website purport to be bittrex.com, even the cert showed this.
5. There is not quick support on hand from Bittrex, you need to go through a maze of questions to fill out a form by which time your account would probably already be empty. A kill switch (that works) would be nice.
Looking at the attack and what else could be done ?
1. So looking at the cert in more detail I was initially puzzled because when I checked the cert during my fake sign in I got this message when I clicked on the cert info:
However using IE I was able to look at the subject alternative name and see the cert was dodgy by the other sites listed in there, below left is the fake site and below right the real one.
What puzzles me is how the cert was issued by a Trusted CA such as Comodo. When I have requested certs before from Comodo all SAN domains must be verified (usually with a phone call and email from admin \ administrator of the domain holder) before issuance. I'll get in touch with Comodo to see what happened here (unless someone can enlighten me?).
When at work I have often say to our 1st line techs and 2nd line engineers that if your public facing netblock is fully patched, utilizing things like a DMZ, NAT and reverse proxies then the weakest link is probably going to be a human.
Ironically I proved my own point and lost a load of crypto because of it.
Thanks for reading and if you use or know anyone who uses Bittrex please share, I would hate someone else to go through what I did.