
Hackers Hijack DNS Server of BlackWallet to Steal $400,000 - msh
https://www.bleepingcomputer.com/news/security/hackers-hijack-dns-server-of-blackwallet-to-steal-400-000/
======
mancerayder
So, I have accounts on several DNS providers and notice that the security is
barebones, mostly username and password. Now, I've got a few domains but
exactly $0 in revenue or other people's stuff to worry about.

With all the obsession over painful security everywhere: stupidly complicated
passwords that require password managers, 2FA with SMS or Google
Authenticator, and that new terrible system where I have to click on pictures
of cars or roadsigns for 5 minutes like I'm being tested for cognitive decline
-- all that stuff, and some of the biggest DNS providers have miserably simple
security.

I didn't see details of HOW DNS was hijacked in that article above but that's
just one of my guesses.

Watch, soon you'll need to click on pictures of storefronts when logging in.

~~~
technion
I can only encourage people to vote with their wallets on this. I moved my
domain registry to AWS over a similar situation, after evaluating several
alternative registrars and not finding MFA. I would certainly do so with DNS.

Much like Microsoft's security push around Windows XP SP1 - security will
become important to these companies when it impacts revenue.

------
gruez
Sucks for the victims, but haven't there been enough hacks to know that
webwallets (whether you hold the keys or not) are a bad idea?

~~~
adamnemecek
They are too convenient.

------
st3fan
This is a major financial crime.

Why are they talking to their ISP to get details instead of involving the
authorities for an actual investigation?

Where is the police report? Who is investigating this?

~~~
JumpCrisscross
> _This is a major financial crime_

This is a major felony involving anonymous holders of a cryptocurrency, many
of whom probably aren’t reporting their holdings to the IRS, on a wallet that
itself probably isn’t reporting holdings nor earnings to the IRS nor complying
with the simplest of money-transmission KYC laws. I struggle to imagine why
this would be a priority for the public to pursue. Live by the sword, die by
the sword.

~~~
Klathmon
There's an awful lot of "probably"s in your comment.

A wallet doesn't need to report anything because it's a wallet. Requiring a
wallet to report "holdings and earnings" would be like requiring a safe to
report the same information. And many users do report holdings to the IRS or
any other agency as needed.

But even if they didn't, this should still be pursued. A lot of criminals use
cars, does that mean the police shouldn't look into car thefts?

~~~
skellera
His point is that most people aren't claiming their bitcoin earnings which
means they aren't paying tax on it.

Why should my tax dollars go to find your money that you aren't paying taxes
on?

~~~
Klathmon
>Why should my tax dollars go to find your money that you aren't paying taxes
on?

Because you have no proof that taxes aren't being paid. You (and others) have
just decided that some of these people are doing something wrong without any
kind of trial or even investigation and are saying that the government should
ignore everyone impacted because of those you assume are doing bad things?

At the same time, I don't believe the government should just tell you "tough
shit" if you've also done something illegal at some point.

~~~
skellera
Are the biggest exchanges reporting earnings to the IRS? No, coinbase only
reported the top earners and are actively refusing to give all data.

There’s a reason why regulations were created and Bitcoin skirts around them.
Don’t expect those same regulations to protect you if you don’t follow them.
It’s the Wild West for crypto right now and some people are going to make it
big but the majority are going to lose.

~~~
Klathmon
But I and many others are following them, to the fullest extent.

"Bitcoin" doesn't skirt these regulations, people do. I agree that it's a
problem that some exchanges don't follow KYC laws, but it's not a law that
they must report every person's earnings to the IRS. Coinbase is following all
the required laws, and asking them to go above and beyond what is needed "or
else" you won't get help is mafia level tactics. And I'd love for you to give
me a list of exchanges that take USD and don't follow KYC laws (I'll save you
some time, there aren't any with any significant amount of users, because they
all get shut down).

And none of this has anything to do with Bitcoin, it has to do with Stellar. A
cryptocurrency that is ironically very KYC friendly as you don't use multiple
addresses, and all transactions are public. It's magnitudes easier to track
Stellar than it ever would be cash. (Or do you feel the same way that someone
that had cash robbed from their house shouldn't bother contacting police
because they were skirting the law?)

Not to mention that tons of criminals use the internet, and there are a nearly
unlimited number of illegal websites and "companies" which are doing bad
things online.

Does that mean we shouldn't expect any kind of law to protect us on the
internet?

Many car drivers routinely break traffic laws whole driving, does that mean
that we shouldn't expect any kind of police help for car drivers?

You are assuming that some of the people here are breaking the law because
unrelated companies aren't going above and beyond the required laws, then
saying that none of the affected people should receive help because of it.

------
jdavis703
The hijacked server isn’t even displaying a security certificate. Why would
anyone conduct a financial transaction without this present (I’m assuming
cryptocurrency holders are relatively sophiscated).

Also can browsers do anything to warn users "the last time you visited this
URL there was a valid certificate, but there is no longer any, shall we
proceed?"

~~~
gruez
>Also can browsers do anything to warn users "the last time you visited this
URL there was a valid certificate, but there is no longer any, shall we
proceed?"

so... HSTS? afaik (at least with firefox), it doesn't even let you override
the warning.

------
archgoon
The article is a bit sparse on details of the actual attack; Was the original
site not over https? Or was the attacked site storing session cookies in
insecure cookies?

~~~
thoop
The website owner posted an update on this Reddit thread:
[https://www.reddit.com/r/Stellar/comments/7q9g31/statement_b...](https://www.reddit.com/r/Stellar/comments/7q9g31/statement_blackwallet_hacks_update/)

It looks like the hacker was able to log into the website's hosting provider
account. The hacker then changed the DNS to point to a different server that
had an exact copy of the blackwallet.co website but with a small injection of
some javascript to siphon off the master keys that people were entering.

~~~
rootsudo
Simple yet effective.

