Blockchain.com Phishing Site Microsoft Edge MrPuma86

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Blockchain.com

Blockchain.com is a web wallet where users can log in and manage their funds. Scammers created a fake phishing version of the website which acted as a proxy to the real website. Logging in and withdrawals require a separate 2FA code, however the user is tricked into providing the 2FA multiple times. First the provide it to attempt logging in, and then they provide it a second time for the withdrawal when thinking that their login has failed and needs to be retried. The subsequent 2FA codes are used to complete the withdrawal.

About MrPuma86

About Blockchain.com

[1][2]

"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.


"[B]efore this happened to me, I did not even know people can get phised through ad links. I thought it was just something that happens through dodgy emails."


"You could be right. It might be fake. But you just don’t know. I got scammed 1 BTC last week. Literally clicked on an ad in Microsoft Edge for Blockchain.com but it was a phishing site. Who would think Microsoft would allow scammers to easily use their platform. Fair enough I was stupid to fall for it. For some reason I thought having 2fa I would be invincible, what an expensive fucking lesson. Having nightmares about it ever since, but people still called my post fake too. Man these scammers/hackers are the 2nd worse scum of the earth."[3]

"Was the Blockchain.com exchange. Using Google Auth. Emails were not compromised. I’m stupid but if you type Blockchian in Microsoft Edge, the first ad that says Blockchain Wallet comes up. The phis[h]ing website only appears once on a new ip address. Really clever in disguising themselves."

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Blockchain.com Phishing Site Microsoft Edge MrPuma86
Date Event Description
January 7th, 2022 5:06:22 AM MST Situation Update Request MrPuma86 posts to request a situation update on PowerOfTheGods, who was also breached in a similar way[4].
January 8th, 2022 7:33:13 AM MST Mention Of Scam The first time MrPuma86 mentions the scam and the amount lost of 1BTC[3].
January 8th, 2022 4:54:24 PM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Blockchain.com Phishing Website

A Blockchain.com phishing website was present in Microsoft Edge[3].

"You could be right. It might be fake. But you just don’t know. I got scammed 1 BTC last week. Literally clicked on an ad in Microsoft Edge for Blockchain.com but it was a phishing site. Who would think Microsoft would allow scammers to easily use their platform. Fair enough I was stupid to fall for it."


Withdrawals Without Requiring 2FA

It appears that 2FA is not required to withdraw funds[3][5][6].

"For some reason I thought having 2fa I would be invincible, what an expensive lesson. Having nightmares about it ever since, but people still called my post fake too. Man these scammers/hackers are the 2nd worse scum of the earth."




"Was the Blockchain.com exchange. Using Google Auth. Emails were not compromised. I’m stupid but if you type Blockchian in Microsoft Edge, the first ad that says Blockchain Wallet comes up. The phis[h]ing website only appears once on a new ip address. Really clever in disguising themselves."


"The website was spoofing. So as I entered the details. The website must have gained access to the real website. Unfortunately blockchain.com doesn’t have 2fa for withdrawals."


"Ok. So full details. When I entered my details, it asked for authorisation via email, it showed my Web Browser and Windows, which was correct (ip address is dynamic so didn’t take note of it), I accepted the notification. Then the log in asked for 2fa, entered that. The screen was ‘loading’ and took too long so refreshed the screen and entered the 2fa again. It still didn’t load into blockchain.com wallet so refreshed again and entered the 2fa. By then I started getting email notification that my Bitcoin was being unstaked. Then I panicked like crazy. Tried logging in several times but it kept saying IP address is locked so did not let me log in. Then got 2 emails saying BTC has been withdrawn. I fucking fainted no joke. When I came too, managed to log in. Account was empty. Contacted support and they said it was my account and seed phrase so was my fault for breach. They said there was nothing they could do. But surely even 1BTC should have required 2fa."

Total Amount Lost

MrPuma86 reports that he was "scammed 1BTC"[3]. The first mention of the issue was on January 7th, 2022, and MrPuma86 reports that it happened "last week", which suggests a time roughly 7 days earlier[3]. The closing market price of bitcoin on January 1st, 2022 was $47,686.81[7].

Therefore, the total amount lost has been estimated at $48,000 USD.

Immediate Reactions

It is unclear how MrPuma86 immediately responded in this situation. His public posts on Reddit began roughly a week later[3].

Ultimate Outcome

Posting On Reddit

MrPuma86 posted on Reddit roughly a week after the events to report them to others[3].


"Looking online at reviews of blockchain.com I am now thinking maybe they withdrew my Bitcoin."


"[M]ore people should talk in more detail about how they got scammed/ hacked/ phished then it will help others from falling victim too."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

"[M]ore people should talk in more detail about how they got scammed/ hacked/ phished then it will help others from falling victim too."

General Prevention Policies

The issue comes about because the blockchain.com wallet uses the same 2FA system for both logins and withdrawals, and doesn't confirm withdrawals by email or provide any window in which a withdrawal can be reverted or cancelled. In general, using an online web wallet is less secure and the vast majority of funds should e stored offline.

Individual Prevention Policies

The funds were stored in an online web wallet. This is highly insecure as there are a wide range of attacks which can trigger a withdrawal and/or fool the user into providing authorization for withdrawal.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Platforms can ensure greater knowledge for users, better platform security, and work together to set up an industry insurance fund.

Increasing User Education

Increased education can ensure that users are aware of phishing attacks and the steps they can take to better secure accounts.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Improved Platform Security

The Blockchain platform allows withdrawals without the user being required to prove intent on a second device. This is an issue because there is no way of knowing that the intent originated from the user as opposed to malware on the device.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Greater security could be obtained by requiring multiple signatures from trusted individuals, in addition to the user. Each additional signature requirement exponentially increases the challenge of breaching the account.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Industry Insurance Fund

And industry insurance fund could assist affected users in the case of phishing attacks, and also assist with hunting down the perpetrator on a larger scale.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Regulators can ensure greater knowledge for citizens, better assessing platform security, and work with industry to set up an insurance fund.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Blockchain.com Wallet - Store and Invest in Crypto (Dec 24, 2021)
  2. Blockchain Wallet Review: Learn How To Buy Bitcoin On Blockchain (Dec 24, 2021)
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 MrPuma86 - "You could be right. It might be fake. But you just don’t know. I got scammed 1BTC last week. Literally clicked on an ad in Microsoft Edge for Blockchain.com but it was a phishing site. Who would think Microsoft would allow scammers to easily use their platform. Fair enough I was stupid to fall for it. For some reason I thought having 2fa I would be invincible, what an expensive fucking lesson. Having nightmares about it ever since, but people still called my post fake too. Man these scammers/ hackers are the 2nd worse scum of the earth" - Reddit (Jun 26, 2022)
  4. MrPuma86 - "Situation update please??" - Reddit (Aug 26, 2023)
  5. pifumd - "oh.. yeah i don't think 2fa is needed for withdrawals from the wallet. even if it was though, it sounds like they phished more than 1 code." - Reddit (Jul 3, 2022)
  6. Sending Bitcoin - Blockchain Support Center - Archive May 7th, 2021 2:03:57 AM MDT (Aug 26, 2023)
  7. Bitcoin Historic Price Data - CoinMarketCap (May 16, 2021)

Cite error: <ref> tag with name "reddit-7894" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Blockchain.com_Phishing_Site_Microsoft_Edge_MrPuma86&oldid=4907"