Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
clipboard hijacking resulting in stolen crypto
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
aDownwardSpiral
n00b
n00b


Joined: 17 Jul 2024
Posts: 1

PostPosted: Sat Aug 31, 2024 12:07 am    Post subject: clipboard hijacking resulting in stolen crypto Reply with quote

I recently just lost crypto due to my clipboard somehow replacing the correct wallet address I was sending to with a very similar wallet address presumably controlled by a hacker. I was running a fully up to date gentoo box at the time of the attack, and a clamscan of my entire system resulted in 0 detected infected files. I am quite curious as to how this could have happened and would like to investigate further. Any advice on how to investigate deeper, or any theories on how this could have occurred would be greatly appreciated.

For more details, I was using the monero-gui wallet downloaded from getmonro.org. I initially sent a very small amount of monero to a wallet, and the funds were received with no issues. However about 10 minutes later I decided to send a larger amount of monero to the same wallet, but when copy and pasting the address this time somehow the address of the wallet got slightly altered, with the first 10 characters and last 8 characters being altered. The address also changed from a 106 character integrated address to a 95 character raw address. I obviously should have triple checked the address before sending, but was not expecting such an occurrence to happen.
Back to top
View user's profile Send private message
kgdrenefort
Guru
Guru


Joined: 19 Sep 2023
Posts: 312
Location: Somewhere in the 77

PostPosted: Sat Aug 31, 2024 5:19 am    Post subject: Reply with quote

Hello,

ClamAV isn't for your own security on Linux, it match against Windows virus. Plus it's not, per-se, an anti-virus but an anti-virus toolkit.

The best fails are the kind of yours, human error, we all fail at some level one day and lost stuff (money, datas, access…). Sorry for you. Hope it wasn't that much tho.

I really don't know how you were infected, if that's the case, but consider these always-good-security-advice :

- Gentoo, Hardened, is a plus but won't have helped you I guess here
- Close useless services and ports such as SSH (22) if not needed
- Avoid experimental release of software, specially some as web browser
- Keep up-to-date about GLSA alert on Gentoo
- Avoid crypto on your main box, I guess, and use a virtual machine or another computer for such things. Like a Raspberry PI with a simple WM running your wallet… It's enough.
- Don't be paranoid and don't cipher everything, you'll lost so much time for 0 more security. It's useful if you get robbed. If I want that hard the content, I'll just cut each of your fingers until you gave me that password, anyway. Save me, save you, some time :twisted: !!!

Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website.
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 489

PostPosted: Sat Aug 31, 2024 8:04 am    Post subject: Reply with quote

kgdrenefort wrote:
ClamAV isn't for your own security on Linux, it match against Windows virus.


Please read and try to understand the ClamAV documentation first.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22612

PostPosted: Sat Aug 31, 2024 1:57 pm    Post subject: Reply with quote

Browsers are infamous for their terrible security practices, particularly around JavaScript. My guess would be that the OP did something in some web page that the browser interpreted as permission to update the clipboard contents, and that update replaced the good address with the bad one.

I would also assert that this is a minor failing of the tool that was used to send the crypto-currency. In my opinion, it ought to have a mechanism to warn the user that the entered address is not one that was ever used before, and ask the user to confirm that this never-before-used address is the intended one. If it had such a mechanism, it would have triggered a warning here, since the first (good) send would not have caused the second (bad) one to be treated as trusted.
Back to top
View user's profile Send private message
sam_
Developer
Developer


Joined: 14 Aug 2020
Posts: 1948

PostPosted: Sat Aug 31, 2024 11:20 pm    Post subject: Reply with quote

I would concur with Hu's assessment here. Knowing the tabs you had open at the time would help. It's possible that perhaps one of the sites had been infected with some JS which inspected the clipboard for something which looks like a wallet address and substitutes it if it finds one.

EDIT: I should say that I also suspect it's unlikely it was outside of the browser given it could just pretend you sent it to the right address, even.
Back to top
View user's profile Send private message
kgdrenefort
Guru
Guru


Joined: 19 Sep 2023
Posts: 312
Location: Somewhere in the 77

PostPosted: Sun Sep 01, 2024 7:39 am    Post subject: Reply with quote

sMueggli wrote:
kgdrenefort wrote:
ClamAV isn't for your own security on Linux, it match against Windows virus.


Please read and try to understand the ClamAV documentation first.


Don't see a difference, but if you like to start a debate.
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website.
Back to top
View user's profile Send private message
Bob P
Advocate
Advocate


Joined: 20 Oct 2004
Posts: 3374
Location: USA

PostPosted: Sun Oct 20, 2024 9:17 pm    Post subject: Reply with quote

I may be a little extreme in the way I look at this, but IMO things have gotten to the point that with the advent of HTML5, I just don't trust browsers anymore. I think were at the point where spyware is built into every browser, and every web site that you visit is built using tools to share your data with anonymous third parties without you knowing what's going on. I feel like I need to fully sandbox them to protect myself.

I'm not at the point that I feel like I have to boot up tails on bare metal every time that I want to go online, but I am at the point that I won't run a browser outside of a virtual machine where that vm gets used for the task at hand and nothing else. I don't trust google, so I have a separate vm for everything google-related (google, youtube, etc.) and it doesn't get used for anything else. I have another VM that I use for general web browsing, another one for web based email, and another one for banking only. They all use a different browser in a different VM, and a fresh-install VM image gets copied over to a new VM for every online session and destroyed afterwards. I try not to leave any bread crumbs behind. As far as the rest of the world is concerned, it looks like I'm visiting their site after performing a brand-new bare metal installation.

I know it's extreme, but how else can you really protect yourself when the browser/internet system is designed to work against you?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum