You may have heard about all the vulnerabilities that computers have. About trojans and malware and ransomware that can lock up city public transportation or stop oil flows increasing the price of gas. Computers have one well known un-patchable vulnerability though. CVE-PEBCAC. This is partially, a story of social engineering.
People Want to be Helpful
Social engineering works, because people want to be helpful. "Why did you open the door for that person you don't know? They don't work here!" for example. In my case, it was because I like to talk about Bitcoin that made me a target.
I got a friend request on social media. This is the kind of social media where you aren't supposed to only connect with people you know, because the point is to find people you don't know. Still, I looked at the profile. Costume designer. Person's profile is a month old. While this is a red flag, at the time I thought they needed new people added to their profile so they could meet new people, the whole point of the site. I was trying to be helpful. So I accepted it.
They message me. They said they saw me talking about cryptocurrency and that's why they wanted to connect. Oh they got me with that one. I went to town about Bitcoin not crypto and even found an on the spot pretty good way of explaining the differences. The idea that when you buy a so called crypto, you're buying into a ruleset. So they asked me to explain the ruleset. I say I need to first explain what a hash is, because the rest of the ruleset is highly dependent on an understanding of this. In hindsight what I did next was pretty stupid. I created a hash of a explorer.exe file to demonstrate what a hash looks like. I was trying to be helpful, again. The problem with doing this, is that it demonstrates what OS I'm running. As soon as I explain this, the attacker decides they're not really interested in talking anymore, because they've "learned enough".
They ask me if I would like to connect on Telegram. Now, look, I thought about this for a moment. We just met, we didn't really have that great of a conversation, but my dumbass said fuck it, I can remove you if you get annoying or whatever. I get the message on Telegram and as soon as I open the message to read it, I see a pop up with a GUI that I don't recognize. It was at this moment that I knew, I fucked up.
The Fight
Understand, I did not click a link, I was not prompted to install any software. All that happened was I opened a DM on Telegram. Nonetheless, I know time is of the essence. The longer I wait, the more access and better rooted they'll get into my system. I close Telegram. I have portmaster installed so I start messing around with closing incoming connections. Not smart. I knew that, but I was trying to be fast and that meant I wasn't thinking right. A reverse TCP connect wouldn't be blocked by a firewall. I needed something else. I try to quickly download Malwarebytes. I know its not the best, but its free and I just need something for the sake of time. When I go to type in the internet search bar, my browser freezes up and nothing I type comes up. Suddenly, what I typed shows up again and also "AAAAAAA". I recognize that. Its a preschool method for doing a buffer overflow on my browser. Thankfully, this confirms fully that I'm looking at a script kiddie. I download and run Malwarebytes. This was risky. The anti-virus could have been infected as it was trying to install, but it didn't, I got lucky. Its removing things, more things keep showing up. I'm worried this virus might be copying itself around in an attempt to outpace the anti-virus. I disconnect the internet. New things stop showing up.
I take a breath. I haven't won yet. I download a real anti-malware and pay for it, again risky, could have had my card details stolen and I actually still don't know that they aren't, but I hope that Malwarebytes removed anything that could have tried that at the very least. After I install the paid anti-virus, I disconnect the internet again. Now I've won.
The Aftermath
The hacker got their account banned from the site, but that doesn't mean they didn't make a new account. I looked through the anti-virus logs to see what it was I got. Trojan.Win32.Swisyn.fura. Swisyn Fura is a trojan that downloads the real virus from a command and control server. That's why disconnecting the internet worked. They didn't have a chance to establish persistence. This was a targeted attack. I believe they were trying to steal my Bitcoin.
Let me restate that.
I Got Hacked and Still Didn't Lose any Bitcoin
Multi-sig baby! Hacking one computer isn't good enough. The only way PSBT files transmit between my spending computers is through QR codes. I never turn enough of them on to spend, unless I'm spending. Not enough of them needed to spend ever connects to the internet. I got my savings on lock down in a vault. This isn't your shitcoiner set up no no no, this is Sparrow wallet!
Yes, let this be an advertisement for Sparrow wallet (and probably signing devices too, but I don't have those)
Takeaway
Your takeaway might be that you shouldn't talk about Bitcoin, but that isn't the lesson here. We need to talk about Bitcoin to reach people who need Bitcoin.
The lesson is:
-
If anyone seems a little too interested in you, they're probably an attacker.
-
Telegram has a vulnerability where if you open a DM on Telegram for desktop on windows, you can get hacked
-
Have anti-virus installed NOW
-
Disconnect from the internet and run your anti-virus if you think you have a virus
-
Multi-sig baby! Multi-sig is freaking awesome! That saved my dumb ass. I got hacked and still didn't lose my Bitcoin. That's huge for anyone worried about self-custody. So don't be afraid to self-custody, use a multi-sig wallet like Sparrow, its great!