Events of Friday - BitInstant Back Online

Afternoon folks! 

As many of you know, BitInstant was down starting Thursday evening and was turned back on today (Monday) with a limited relaunch. 
None of your personal or transactional information has been leaked. We keep all that data offline to protect everyones privacy. 
Over the weekend the BitInstant team has been hard at work securing our system from a sophisticated attack on Thursday evening. Overall, due to major choke points and redundancies in our system, the hacker was only able to walk away with $12,480 USD in BTC, and send them in 3 installments of 333 BTC to bitcoin addresses. 
 
15WeVhV1rSUVGqBWuzi4ogV3BGSwAw8fCX
12Sfsc4XVBfSkcz9CayqfZdhYuntbjtjXp
1Fimj1BzMBessvPw2RKeqvgPg7VLgJCQi
Background:
We've long been targeted by someone using social engineering tactics to attempt to compromise our various accounts at exchanges, with our hosting provider Amazon AWS and even on my personal accounts, mostly without success. At no time have we ever had a single system or account compromised through technical means, or indeed at all before yesterday. For the sake of convenience I'll refer to this mystery person as simply "the attacker". This individual was only successful due to the failure of the staff at our domain registrar as I will explain below, we intend to move to a more secure registrar ASAP.
What happened:
The attacker contacted our domain registrar at Site5 posing as me and using a very similar email address as mine, they did so by proxying through a network owned by a haulage company in the UK whom I suspect are innocent victims the same as ourselves. Armed with knowledge of my place of birth and mother's maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login (this prevented us from deleting it from the account). We immediately realized what was going on, and logged in to change the information back. After changing this info and locking the attacker out, overnight he was able to revert my changes and point our website somewhere else. Site5 is denying any damages, but we suspect this was partly their fault. 
After gaining access, they redirected DNS by pointing the nameservers to hetzner.de in germany, they used hetzner's nameservers to redirect traffic to a hosting provider in ukraine. By doing this, he locked out both my login and Gareths's login and they used this to hijack our emails and reset the login for one exchange (VirWox), enabling them to gain access and steal $12,480 USD worth of BTC. No other exchanges were affected due to either Mult Factor Authentication, OTP, Yubikey's and auto lockdowns. 
The hacker was also able to pull a few hours of internal company emails. However due to mandatory PGP encrytion between members of our company and tools like Cryptocat, sensitive information was not breached. 
Information about the attacker:
Based on their general MO, the attacker is not highly technically skilled but is sneaky enough to cover their tracks. Some of the hosting providers they directed our domain at may have billing information, but such billing information is likely a stolen card. Geographically, I would personally suspect them to be Russian, based on the choice of providers and based on past fruitless attempts that clearly were of Russian origin. They seem focused on me in particular and have tried many times to gain access to my accounts (both personal and business)
Other parties involved (the attacker used these parties in some way):
meta.ua - email provider
hetzner.de - nameservers for the first attempt were hosted here
ukraine.com.ua - hosting provider involved in the first hijack
smtp.parkside.at - mail provider which was involved in the email hijack
Circle Express Ltd - their network was used as a proxy, the actual IP
is registered to BT PLC but is used by Circle Express on a business
line of some variety
So, we wanted to provide this update in order to continue our practice of transparency, but also as a lesson to the community - you must be ever-vigilant in making security your top priority. We outline many more of our security protocals here: bitinstant.com/security
Thanks for your patience, support, and trust during these times. 
- The Team @ BitInstant. 

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (31)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: SCADA
    Hey you all, That is a very good update. Have you thought of wireless communication for PLCs?
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    I really like this text, the content written in this article is incredibly useful. I appreciate the write and his efforts to produce information regarding topic. it is a well-written article and is sort of comprehensive and precise. the author has command over the theme and it is a well-researched article. ...
  • Response
    While trying to give up smoking cigarettes, I heard about the smokeless cigarette. The e-cig uses a nicotine compound which holds simply nicotine. Virtually no toxic substances in the least. They already have actually improved my life. Quitting breathing in smelly smoke feels stupendous to me!
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    To get a print without a problem.
  • Response
    Response: vacuum cylindrical
  • Response
    Response: по ссылке
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Expert Advice On Improving Your Leadership Characteristics
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: SantoPNWD
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: forex news
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: plc mitsubishi
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: xovilichter
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: bikin topi promosi
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: Diamond Ullom
    I found a great...
  • Response
    Response: xovilichter
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: easyforex
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: forex
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: bitcoin hosting
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Response: forex
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog
  • Response
    Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog

Reader Comments (45)

Interesting reading; I'm not sure who is speaking.

BUT MY MONEY IS STILL NOWHERE TO BE FOUND!!!!!!!!!!!!!!!!!!!!!!!

March 5, 2013 | Unregistered CommenterSME

is there no longer going to be a deposit to btc-e option?

March 5, 2013 | Unregistered Commenterehh

Yeah, I was also hoping to do some trading between Mt. Gox and BTC-E but the option is gone.

March 5, 2013 | Unregistered CommenterAnonymous

3 installments *totaling* 333 BTC.

At first I thought that was 3 installments of 333 BTC each. Phew.

March 5, 2013 | Unregistered CommenterAnonymous

thanks for sharing...too bad there are a-holes everywhere.
will btc to email ever be available? if not what is the easiest/quickest alternative?

March 5, 2013 | Unregistered Commenterjp

I guess it is obvious that there are still security holes as BTC to email and BTC ADDRESS are still not available. Either thy are a security hazard, or they have no plans to put these back in service. Shame, its why I used the service.

March 6, 2013 | Unregistered CommenterAnonymous

What's up with Bitcoin to email? Can you give us an update if or when this service might be back?

March 6, 2013 | Unregistered Commentermeh

Now this is how report a security breach, excelent depth and amount of detail.

March 6, 2013 | Unregistered CommenterIsokivi

yes, my money was sent on Tuesday and no BTC yet. these are good folks, tho--be patient. thx bitinstant for the transparency. hope to see my btc soon, tho!

March 6, 2013 | Unregistered Commenterss57

Yeah, ive still got alot of money tied up. to be sent to BTC-e, it really sucks this had to happen, time is defiantly money with bitcoins. I only used my btc-e account cause the usual bit-coin address was not available. I hope this issue is resolved soon. =/

March 7, 2013 | Unregistered CommenterMarky

Money sent to them tuesday night. after many emails and calls still no money, or response. what is goin on?

March 7, 2013 | Unregistered CommenterJFLETC

I also sent them a large chunk of change on teus while they had bitcoin wallet running. Shortly after I sent my funds I checked and noticed that my order had somehow "failed" I emailed Rachel in support who stated my coins should be sent shortly and that there was an issue with the exchange...now over 2 days later..no more emails...no more responses to my repeated emails..and my order id has disappeared looks like I will have to find another place to buy bitcoin now :( Also hope you guys enjoy the money you stole...thats the last time I plan on doing business with these jokers

March 7, 2013 | Unregistered Commenternothappy

before mine even failed yesterday, she was helping me get past the 505 server error before i could even place an order/transaction. and they've already had a problem or knew this would happen before i even made the transaction that failed, that would be messed up. I feel like ive been lead into a trap a scan. I've got the order/quote id and dwolla transaction number. I hope i get my funds on my account soon. Im not letting something like that slide, this has wasted my time and money. =/

March 7, 2013 | Unregistered CommenterMarky

I sent them coins on Tuesday and now it's Thursday night. I sent an email and they said they'd send it "manually"... still no coins.

Why is it so hard to send BTC manually? It should be relatively easy...

March 7, 2013 | Unregistered CommenterFrank Danneksjold

Hi everyone,

We conducted a full investigation internally and this in no way was due to any slip in our security. The only reason the attacker was able to add an email and take over this account was because they knew the two answers to the security questions on this account. They did not receive that information from us in anyway. We take security very seriously and have stringent safe guards in place to prevent social engineering.

Here is our public post as well with details:
http://www.site5.com/blog/s5/security-and-social-engineering/20130307/

Please let me know if you have any questions,
Thanks, Ben
CEO at Site5

March 7, 2013 | Unregistered CommenterBen - CEO at Site5

Hi Ben

I read your response, i'm just wondering why you stated that nobody at your company revealed the answers to the security questions? That wasn't what anyone claimed.

What actually happened was that the attacker was able to use ONLY these answers to access the account, they didn't even have to have access to the correct email address and were able to convince your staff to add a new email address.

It does not take a lot to figure out where Charlie was born based on where he lives, and finding out anyone's mother's maiden name is trivial with a quick check in public records. You get their birth certificate, find their mother, find the mother's marriage certificate and there it is.

To repeat:
Nobody has claimed that site5 told the attacker this information. The issue is that site5 allowed this individual to take control of the account armed ONLY with these 2 facts and that this was not sufficient to truly verify their identity.

March 7, 2013 | Unregistered CommenterGareth Nelson

Hi Garret,

I just wanted to make 100% sure & without a doubt that was clear that they got those from somewhere else. The answer to your security questions are the most important security step at Site5, and with those you can reset an email on the account or add a new one. Plus those are required for anything where we change files and other key changes.That is always how we have had it setup to prevent social engineering.

To be rather blunt you should have better security questions. You should always put in a custom answer, for example I might use the question mother's maiden name and then the answer is "L@J-289098=a9jaosdjf" which I keep in an encrypted text doc or ecrypted note in 1Password.

Thanks, Ben

March 8, 2013 | Unregistered CommenterBen - CEO at Site5

Congratulations for your high level security. Just by reading this blog post I realize BitInstant has much better security practices than the company I work at, which happens to be an ISO 27001 certified company!

It's a pity that Bitcoin business are targetted so much by these crooks.

March 8, 2013 | Unregistered CommenterTiago

It should be noted that criticism of site5 has been erased from the comments on their blog:
http://joepie91.files.wordpress.com/2013/03/tstwje9w.png

Source: http://joepie91.wordpress.com/2013/03/08/site5-and-their-insecure-practices-and-questionable-business-ethics/

March 8, 2013 | Unregistered CommenterGareth Nelson

So how does that make bitinstant any better since you guys stole from your customers and instead of addressing that you redirect the conversation. Id like to have the bitcoin I already paid for on Tuesday (after your blog post said your site was back up btw) but I dont see that happening..and STILL no response to emails. You guys owe alot of people money and instead you talk about site5 removing comments. How about those orders you guys lost and now will not even acknowledge? Us that had orders Teus did not have orders Wed and no response to our emails..so please inform all of us how Bitinstant plans on resolving that?

March 8, 2013 | Unregistered Commenternothappy

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
« It's back! Receive your order directly to your Bitcoin address. | Main | Bitcoin Payment Network Adds Hundreds of Thousands of Locations Worldwide »