pull down to refresh

You may have heard about all the vulnerabilities that computers have. About trojans and malware and ransomware that can lock up city public transportation or stop oil flows increasing the price of gas. Computers have one well known un-patchable vulnerability though. CVE-PEBCAC. This is partially, a story of social engineering.

People Want to be Helpful

Social engineering works, because people want to be helpful. "Why did you open the door for that person you don't know? They don't work here!" for example. In my case, it was because I like to talk about Bitcoin that made me a target.
I got a friend request on social media. This is the kind of social media where you aren't supposed to only connect with people you know, because the point is to find people you don't know. Still, I looked at the profile. Costume designer. Person's profile is a month old. While this is a red flag, at the time I thought they needed new people added to their profile so they could meet new people, the whole point of the site. I was trying to be helpful. So I accepted it.
They message me. They said they saw me talking about cryptocurrency and that's why they wanted to connect. Oh they got me with that one. I went to town about Bitcoin not crypto and even found an on the spot pretty good way of explaining the differences. The idea that when you buy a so called crypto, you're buying into a ruleset. So they asked me to explain the ruleset. I say I need to first explain what a hash is, because the rest of the ruleset is highly dependent on an understanding of this. In hindsight what I did next was pretty stupid. I created a hash of a explorer.exe file to demonstrate what a hash looks like. I was trying to be helpful, again. The problem with doing this, is that it demonstrates what OS I'm running. As soon as I explain this, the attacker decides they're not really interested in talking anymore, because they've "learned enough".
They ask me if I would like to connect on Telegram. Now, look, I thought about this for a moment. We just met, we didn't really have that great of a conversation, but my dumbass said fuck it, I can remove you if you get annoying or whatever. I get the message on Telegram and as soon as I open the message to read it, I see a pop up with a GUI that I don't recognize. It was at this moment that I knew, I fucked up.

The Fight

Understand, I did not click a link, I was not prompted to install any software. All that happened was I opened a DM on Telegram. Nonetheless, I know time is of the essence. The longer I wait, the more access and better rooted they'll get into my system. I close Telegram. I have portmaster installed so I start messing around with closing incoming connections. Not smart. I knew that, but I was trying to be fast and that meant I wasn't thinking right. A reverse TCP connect wouldn't be blocked by a firewall. I needed something else. I try to quickly download Malwarebytes. I know its not the best, but its free and I just need something for the sake of time. When I go to type in the internet search bar, my browser freezes up and nothing I type comes up. Suddenly, what I typed shows up again and also "AAAAAAA". I recognize that. Its a preschool method for doing a buffer overflow on my browser. Thankfully, this confirms fully that I'm looking at a script kiddie. I download and run Malwarebytes. This was risky. The anti-virus could have been infected as it was trying to install, but it didn't, I got lucky. Its removing things, more things keep showing up. I'm worried this virus might be copying itself around in an attempt to outpace the anti-virus. I disconnect the internet. New things stop showing up.
I take a breath. I haven't won yet. I download a real anti-malware and pay for it, again risky, could have had my card details stolen and I actually still don't know that they aren't, but I hope that Malwarebytes removed anything that could have tried that at the very least. After I install the paid anti-virus, I disconnect the internet again. Now I've won.

The Aftermath

The hacker got their account banned from the site, but that doesn't mean they didn't make a new account. I looked through the anti-virus logs to see what it was I got. Trojan.Win32.Swisyn.fura. Swisyn Fura is a trojan that downloads the real virus from a command and control server. That's why disconnecting the internet worked. They didn't have a chance to establish persistence. This was a targeted attack. I believe they were trying to steal my Bitcoin.
Let me restate that.

I Got Hacked and Still Didn't Lose any Bitcoin

Multi-sig baby! Hacking one computer isn't good enough. The only way PSBT files transmit between my spending computers is through QR codes. I never turn enough of them on to spend, unless I'm spending. Not enough of them needed to spend ever connects to the internet. I got my savings on lock down in a vault. This isn't your shitcoiner set up no no no, this is Sparrow wallet!
Yes, let this be an advertisement for Sparrow wallet (and probably signing devices too, but I don't have those)

Takeaway

Your takeaway might be that you shouldn't talk about Bitcoin, but that isn't the lesson here. We need to talk about Bitcoin to reach people who need Bitcoin.
The lesson is:
  1. If anyone seems a little too interested in you, they're probably an attacker.
  2. Telegram has a vulnerability where if you open a DM on Telegram for desktop on windows, you can get hacked
  3. Have anti-virus installed NOW
  4. Disconnect from the internet and run your anti-virus if you think you have a virus
  5. Multi-sig baby! Multi-sig is freaking awesome! That saved my dumb ass. I got hacked and still didn't lose my Bitcoin. That's huge for anyone worried about self-custody. So don't be afraid to self-custody, use a multi-sig wallet like Sparrow, its great!
I think it would have been safer to power off that computer immediately, reboot and load an OS from usb, and do a full hard disk scan on the main hard drive.
Even safer, don't run windows for crypto related stuff.
reply
Yes, that would have been better. Probably Caine for the investigation: https://www.caine-live.net/
I haven't messed around with Caine enough to know what I'm doing though. I also don't know how to remove windows malware from a linux iso live environment.
Now as far as the "even safer don't run windows" side of this, I feel this is missing the point.
The point is, I was hacked and still didn't lose my Bitcoin
This is because I have a multi-sig with other computers that are turned off and never connect to the internet.
That all being said, I have thought about it after this attack, and yes I think my windows computer needs to be a full watch and broadcast only wallet rather than a 1 sign and many watch wallet.
reply
The part he left out: this user had a very attractive profile picture.
reply
Easy psychological exploit.
This is a serious security vulnerability that remains unpatched, especially in straight males.
reply
"The mind has no firewall."
reply
Would love to see more of this kind of quality content on StackerNews. Interesting to see all the warning signs you can recognize, and the mitigation steps you can take
But why don't you have your savings in cold storage?
reply
It is in cold storage. Cold card is a signing device, but that is not the definition of cold storage. Cold storage means it is stored on a device which is not powered on or connected to the internet.
I have my savings on a multi-sig setup and a few of those computers which are needed to spend at all are turned off and not connected to the internet.
reply
Lmao windows users get rekt
reply
;_; I only have 1 computer with windows on it. Its the computer I use for VR and gaming and any really beefy operations.
reply
... and for getting hacked.
reply
Yes, and for getting hacked lol
reply
If you think you have certainly won after an antivirus run you are wrong. Format and reinstall, possibly an OS that's not Windows.
:)
reply
That's certainly a fair assumption. Better safe than sorry. However, I can not reinstall an non windows OS. The VR software that exists is simply not compatible with any other OS in large part due to proprietary software.
reply
Love Sparrow. But lets's speculate, for the benefit of readers/lurkers/new people.
What if you didn't have a multi-sig on Sparrow?
  1. If you'd had a hot wallet, what would've happened?
  2. If you'd had a browser wallet, what would've happened?
  3. If you'd had a Ledger/Trezor/etc, what would've happened?
reply
That's why you have to do it right. Being responsible with your own money, keeping it safe, it requires setting up your security properly. However, that doesn't mean a custodian is a better solution. No one ever said "My exchange account got hacked and I didn't lose my Bitcoin" and having the government in control of the money instead, to give them the power to print money for people who get stolen from, well we've seen what that's lead to.
reply
thanks for sharing!
Can you tell us more about your multisig setup, and why you chose that particular configuration?
reply
The multi-sig wallet I use is Sparrow https://sparrowwallet.com/
I don't have signing devices, but I do have computers lying around that I happen to almost never turn on (a laptop with a shot battery is very inconvenient)
I happen to know about a type of malware called a worm, which infects other computers that are connected to the same network. So for this reason, I wanted my multi-sig setup to be such that the number of computers required to spend are first and foremost not connected to the same network at the same time. In particular, my shot battery never connects to the internet
The computer which is connected to the internet, also runs my full node, so when I spend, I'm not trusting someone elses.
I also nerd out about air gaps sometimes: https://cyber.bgu.ac.il/advanced-cyber/airgap
Transmitting the PSBT via QR code is built into Sparrow and I like it. I don't think you can buffer overflow with QR code transmission.
reply
Wow, crazy story. I guess I'll stop opening those random crypto scammer messages in telegram. I hope I haven't been pwnd already. 😳
reply
interesting story.
reply
Thanks. It happened last night. Thought I'd let anyone it might help know about it.
reply
Now buy a coldcard and install linux :D
reply
How does one get infected from simply opening a DM?
reply
Same dubt. Should be caused using a buffer overflow style attack. Improbable but not impossible.
@nerd2ninja which client did you use (with version)?
reply
I've asked Telegram to create a Security.md file in their Github repo so this can be reported. My current guess is that this may have been caused by an unquoted strings vulnerability.
To answer your question, Telegram for desktop on Windows.
reply
Telegram for desktop on Windows.
Version? Could be useful to alert other users if the bug in version specific.
reply
Not sure. I'm no longer near my computer. It should be the newest version though. I don't have a notification to update it or anything
reply