cont'd
Update on the #hack theft and additional opsec lessons learned:
I have now further confirmed the #2FA bypass attack vector was a man in the middle attack. I had received an email from Indeed job search platform informing me that they received a request to delete my account within 14 days. I was in bed at the time and was doing it from my phone via the mobile Gmail app.
I hadn't used Indeed forever and don't care for it but obviously I thought it was unusual, as I didn't make such a request. Out of security precaution, I wanted to know who made such a request and wanted to check if Indeed had access logs, so I tapped it on my phone.
Because I didn't use Indeed forever, I didn't remember my password so naturally I chose Sign in with Google. It took me to Indeed and I couldn't find a request log. Because I knew my old logins were already on the darkweb I figured someone must've got into my Indeed, and so I proceeded to enable 2FA.
Honestly I didn't care much for Indeed even if it did get deleted, and thought it was just some small time hobby hacker messing around with an old login from some old exposed database leak.
Turns out the Indeed email was a #spoofed phishing attack. The Indeed link I tapped in the Gmail app, was a scripted South Korean web link, which in turn routed me to some fake Indeed site, which captured my Sign in With Google, then routed me to the real Indeed site. They hijacked the session cookie enabling them to bypass 2FA, then accessed my Google account and abusing browser sync.
Further general opsec lessons learned:
1. Mobile Gmail app will not show the sender's true email or link URLs by default, which is a big opsec flaw. Refrain from tapping mobile links in your mobile email client.
2. Refrain from using Sign In With Google or other #oAuth features. The convenience is not worth it due to ease of phishing attacks to bypass 2FA. Even if it may not be due clicking a phishing link, a regular website could be compromised at no fault of your own. The expectations of 2FA security let my guard down.
LIVE9. Make it a habit to regularly review your security and establish a standard operating procedure. Attackers can remain dormant and wait for the right moment to strike after waiting a very long time.
FWIW I do have a hardware wallet, this was not compromised. Yes you should use hardware wallets when you can, obviously. Also, to those who are alleging this is to dodge taxes, know that taxes from theft or hacks can no longer be deducted since after 2017.
The final tally is about $677k. Unfortunately the user has begun Tornado'ing. I do have some additional clues on the attacker but will keep it discreet at this time for the sake of continuing to determine the user identity. I've also since filed a police report and reported to the CEXs that some of my funds the attacker sent them through.
It's a long shot but I am willing to offer a $150k bounty for return of the funds, no questions asked and no further investigation. I would also consider a bounty-based forensics service (upfront pay services, don't bother). An expensive lesson, but I'm still here. A painful set back, but the show must go on.
Above investigation was prompted by this post:
(@sell9000
Just realized I got $500k drained from multiple wallet apps 46 hours ago
Think I got extension attacked, with two suspicious extensions that appeared on my chrome browser
does not feel good fam
still investigating )