Mt Gox was a place to exchange curency for bitcoin, specifically American dollars. The site recently got hacked and the bitcoin exchange rate has plummeted (and from what I hear, currently frozen). If you’ve ever used the site, and use the same / similar password everywhere consider changing it (and for Pete’s sake not using the same password everywhere).
I’ve downloaded a copy of the Mt Gox DB and I was indeed in the list. The data consists only of: userid, user handle, email address, and password hash.
I’ve done a reverse hash lookup, and confirmed it’s not a basic sha1 or md5. From the official “hacked” email the admins of Mt Gox say it’s using “freeBSD MD5 salted hashing”, though some older accounts may be simple md5.
There are 61,000+ records in the db I’ve downloaded. If anybody wants me to check if they’re on there let me know. My gmail
has already requested that I change my password so I’m guessing brute force attacks are occurring.
Mauvis Ledford General
I got a Facebook mail from a friend today titled “Look at this!” with a link to fbstarter.com.
The site itself, looks just like FaceBook (even the code view and CSS – screenshot here) – but the site itself didn’t seem to offer much except for a login. I put in dummy information and was redirected to the real Facebook site with this message:
screenshot here.
It’s good to know that Facebook is already on top of it.
When I asked my friend how he came to find / be infected with the exploit (my initial that was a rogue app) he replied: “Link from a friend on Facebook.” My guess is that the site logs in as you and send a message to all your friends to infect more people (he told me he looked through his sent mail and apparently it’s been sending emails out 15-16 at a time).
What’s interesting about this exploit is that there really isn’t any XSS or CSRF involved – Facebook didn’t do anything wrong – it’s just plain social engineering, a site dresses itself up to look like Facebook and asks you to log-in.
I went ahead and archived the fbstarter.com site as I’m sure it’ll be taken down soon:
http://insecureweb.com/files/fbstarter/ (doesn’t include images)
If you are infected – change all your passwords immediately. Although it’s unlikely the perpetrators can access your other sites many people use the same passwords or deviations of the same password for many sites. It would be in your best interest to change all your passwords regardless whether they’re the same or not (at the very least a clear conscious).
In addition, consider upgrading to Firefox 3 if you haven’t, which attempts to block web forgery attempts (after they are reported – see what happens when I try to visit fbaction.net a similar forgery site).
A whois on the owner of the domain shows our friends in Russia as usual:
Ad / Name Boris Soroka
Adres Stavropolskaya str. d.18 kv.164 Moscow Moscow 109386
Tel +7.4957851102
Faks
E-posta vy@seostudio.at
Guncelleme / Updated
Mauvis Ledford Social Engineering exploits, facebook, Social Engineering
Update 05-27-2009: A web developer at AOL is investigating these issues and in the meantime this post has been temporary disabled. It’ll return for educational purposes when the issues are resolved.
Mauvis Ledford JavaScript, Web Security
At work, a client recently contacted us about some random ads that were popping up on their site - interestingly enough through Adobe Acrobat. While I’m on a mac and didn’t experience the popups firsthand, I did pinpoint the problem to come from a hidden iframe located on the page (The client is a news organization and the iframes were being added to the bottom of each news article – so either they suffered an SQL injection or the attacker got into their platform somehow.) It turns out the code was doing something more malicious then just displaying ads. Read more…
Mauvis Ledford JavaScript, Web Security Adobe, JavaScript