LocalBitcoins, the site used around the world to buy and sell Bitcoin, was targeted with a phishing attack over the weekend, leading to around 8 BTC being stolen, although the actual total may be more than twice that. Users logging into the site were redirected to a very accurate representation of the LocalBitcoins site, which captured their login details and 2FA passwords, which were then used to empty their accounts.
LocalBitcoins’ report on the security vulnerability 26.01.2019 from r/localbitcoins
Forum Weakness Exploited
The suspicious activity was first reported on Reddit, where a warning post was put up that quickly spread through other social media, but not before the $28,000 worth of BTC could be stolen. Some users theorized on the avenue of attack, with the forum being the suspected method of entry. One victim described the method of attack:
Apparently the exploit is related to localbitcoins’ forum software…but what happened is the exploit hijacks your browser and makes you see a fake login prompt page when really on the backend the hacker is actually redirecting you to LBC’s withdrawal page. So once you enter that 2FA code, you’re actually withdrawing your entire balance to the attacker’s wallet.
It seems that the hackers hijacked the third-party software used to run the Localbitcoins forum, which meant they could change the address without impacting users’ bookmarks, as described by the same poster:
My browser was updated to the latest version too. And this hacker was able to bypass the built-in protections of the browser. Since I have localbitcoins bookmarked, I never thought that I was gonna get phished. But if the attackers can hijack third-party software on the site (ie. forum) or if they hijack the DNS, you can get man in middle attacked.
Swift Response
Having been around since 2012, LocalBitcoins has, unsurprisingly, fallen victim to hacks before. Almost four years ago to the day, January 27, 2015, 17 BTC was lost through a hack of the platform’s live chat facility, and in May 2014 a hacker managed to gain root access to the LocalBitcoins server, but no funds were taken. Towards the end of 2018, hackers gained access to the Electrum wallet platform and encouraged users to download a fake version of the wallet, leading to over 240 Bitcoin being stolen.
Attacks like this are not uncommon, and Localbitcoins won’t be the last target, but the swift way they dealt with the hack, closing down the forums, informing users and refunding those affected, shows a degree of professionalism that some other exchanges could do well to emulate.