In a Remarkable Turn of Events, Hackers -- Not Users -- Lost Money in Attempted Cryptocurrency Exchange Heist (bleepingcomputer.com) 56
The hackers who attempted to hack Binance, one of the largest cryptocurrency exchanges on the Internet, have ended up losing money in a remarkable turn of events. It all began on Thursday, when thousands of user accounts started selling their Bitcoin and buying an altcoin named Viacoin (VIA). The incident, BleepingComputer reports, looked like a hack, and users reacted accordingly. But this wasn't a hack, or at least not your ordinary hack. The report adds: According to an incident report published by the Binance team, in preparation for yesterday's attack, the hackers ran a two-month phishing scheme to collect Binance user account credentials. Hackers used a homograph attack by registering a domain identical to binance.com, but spelled with Latin-lookalike Unicode characters. More particularly, hackers registered the [redacted].com domain -- notice the tiny dots under the "i" and "a" characters.
Phishing attacks started in early January, but the Binance team says it detected evidence that operations ramped up around February 22, when the campaign reached its peak. Binance tracked down this phishing campaign because the phishing pages would immediately redirect phished users to the real Binance login page. This left a forensic trail in referral logs that Binance developers detected. After getting access to several accounts, instead of using the login credentials to empty out wallets, hackers created "trading API keys" for each account. With the API keys in hand, hackers sprung their main attack yesterday. Crooks used the API keys to automate transactions that sold Bitcoin held in compromised Binance accounts and automatically bought Viacoin from 31 other Binance accounts that hackers created beforehand, and where they deposited Viacoin, ready to be bought. But hackers didn't know one thing -- Binance's secret weapon -- an internal risk management system that detected the abnormal amount of Bitcoin-Viacoin sale orders within the span of two minutes and blocked all transactions on the platform. Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals.
Phishing attacks started in early January, but the Binance team says it detected evidence that operations ramped up around February 22, when the campaign reached its peak. Binance tracked down this phishing campaign because the phishing pages would immediately redirect phished users to the real Binance login page. This left a forensic trail in referral logs that Binance developers detected. After getting access to several accounts, instead of using the login credentials to empty out wallets, hackers created "trading API keys" for each account. With the API keys in hand, hackers sprung their main attack yesterday. Crooks used the API keys to automate transactions that sold Bitcoin held in compromised Binance accounts and automatically bought Viacoin from 31 other Binance accounts that hackers created beforehand, and where they deposited Viacoin, ready to be bought. But hackers didn't know one thing -- Binance's secret weapon -- an internal risk management system that detected the abnormal amount of Bitcoin-Viacoin sale orders within the span of two minutes and blocked all transactions on the platform. Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals.
Unicode hack? (Score:2)
So, it is kind of a Unicode hack?
Unicode wasn't allowed initially in domain names if I recall correctly.
Re: (Score:3)
PUNYCODE. Which was INITIALLY only allowed under Non-Latin Country Code TLDs.
If you think about it.... it makes no sense to have (NON-LATIN BLOB).com or (NON-LATIN BLOB).net
I'm not sure exactly who is to blame for PunyCode suddenly being enabled under additional Latin TLDs such as .COM,
but I suspect it is either ICANN or Verisign we should blame for this stupid shit, And of course.... the browser makers such as Google and Firefox had to be complicit in changing from the original defaults whi
Re:Unicode hack? (Score:5, Interesting)
They allow it for the same reason we have 100 new TLD's. Profits. Now there are many new variant domains that a company must register in order to avoid squatters.
Re:Unicode hack? (Score:5, Interesting)
They would never do such a thing! The new TLDs are all for the purpose of users and convenience and helpful to Internet users. That is why we got .aero as one of the first ones...
The real sad part is that nobody stopped them. The good part is that the new TLDs are largely ignored. There was a short period where you would see people advertising their .biz addresses, then it stopped and went back to normal.
So the world was telling ICANN to go and fuck themselves. Allowing Unicode and the entire attacks possible with it was their spiteful revenge.
Re: (Score:2)
Well, you can reach me via email at firstname.lastname@comsoft.aero ... I like that email address. The job is cool, too.
Re: (Score:2)
The good part is that the new TLDs are largely ignored
Not by everyone. Some of us actively block them.
Re:Unicode hack? (Score:4, Informative)
And of course.... the browser makers such as Google and Firefox had to be complicit in changing from the original defaults which was to Refuse to interpret Punycode under Latin TLDs.
Brian Krebs wrote punycode yesterday [krebsonsecurity.com]. Chrome and Microsoft Edge and IE will not display the punycode, but rather the ascii representation of it. Firefox does show the punycode by default, but you can change it in settings.
Re: (Score:2)
Wrong on all counts. Krebs wrote *about* the method yesterday, but Punycode is far older: https://tools.ietf.org/html/rf... [ietf.org] (A. Costello, March 2003).
Furthermore, you have it exactly backward: Chrome/IE/Edge DO display the non-Latin URL as Punycode (that is, rendered into normal ASCII gibberish). Firefox just displays it straight.
Re:Unicode hack? - English only Please! (Score:4, Informative)
Re: (Score:3)
Which is precisely why the GP suggested restricting website character sets by TLD. If you want to have télétoon as your website address, make it télétoon.fr (or télétoon.com.fr), not télétoon.com, as .com is (in practice) a US-centric TLD. This isn't hard and it isn't discriminatory, but the registrars a) want to blackmail website owners into registering more addresses, b) don't give two shits about security, and to top it off c) like virtue-signaling about how open a
Re: (Score:2)
Re: (Score:3)
The silly thing is that punycode solves exactly zero problems that simply making whitelists of utf-8 characters in domains would not have solved equally well, and every problem caused by whitelisted utf-8 characters also plagues punycode. Plus of course punycode adds its own set of problems.
Redacted? (Score:4, Funny)
Good thing TFS redacted the domain name. Now a person has to read TFA to see the text, and we know that will never happen.
Re: Redacted? (Score:5, Funny)
It didn't even need to be redacted. This is slashdot. We don't support Unicode here.
Re: (Score:2)
That's why they redacted it!
Re: (Score:2)
Actually that is exactly why it was redacted, to avoid making Slashdot look foolish and backwards. The excerpt is directly ripped from the article with only that change.
I would be surprised if it was the editor that did it, however. There used to be a link to see the original submission, but I can't find it. It was probably removed to avoid making the editors look foolish, too.
Re: (Score:2)
Sö yöo såy
Re: (Score:2)
Re: (Score:2)
In which case, they didn't lose the money for sure.
They could also claim that their accounts got hacked but through a different attack vector.
Re:Yes (Score:5, Informative)
FTFA: Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals. Furthermore, in the subsequent investigation, Binance identified the 31 accounts, reversed all transactions, and confiscated the original Viacoin funds that hackers deposited in the accounts.
Re: (Score:2)
Re: (Score:1)
So Binance stole Viacoin from the hackers... I'm conflicted about this.
Re:Yes (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I wonder if the average cryptocurrency advocate will celebrate this today, and then months later wonder why he can't sell any of his currency during a downturn. The admins will of course be able to sell first, though...
What the other cryptocurrency? (Score:1)
How is the 2LipBulb cryptocurrency? Folks in the Netherlands swear by it.
Browser alert on Unicode urls (Score:3)
I almost never visit (legit) sites using unicode characters. I'd love my browser warning me whenever I visit one -- just in case.
Re: (Score:2)
Which browser do you use, that it gives you a warning?
And is that warning about the URL or the sites contents?
Re: (Score:3)
I almost never visit (legit) sites using unicode characters. I'd love my browser warning me whenever I visit one -- just in case.
Check out IDND https://lingvo.org/idnd [lingvo.org]
Re: (Score:2)
cool, thanks
Re: (Score:2)
I almost never visit (legit) sites using unicode characters.
I have a related question: For English speaking content, are there any legit sites using unicode characters?
For a change, AI did NOT make news (Score:2)
Not A.I. but B.I. as in Binance Intelligence.
I will wait for the movie version on Netflix, but Kevin Spacey can pass on this role.
Saw this happen IRL once with a safe-cracker (Score:5, Interesting)
Re: (Score:2)
I remember a story in Australia where a guy robbed a petrol station at night. He left the car running. Another customer saw what was happening and took the car keys and walked away. The guy made off with like $200 but had to abandon his far more expensive car when he heard sirens.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
And if you can't find anybody to buy it from you, guess what? The greater fool is YOU!
“If you sit in on a poker game and don’t see a sucker, get up. You’re the sucker.” - Whispering Saul
Let me be the first to say... (Score:1)