Title: Two new MtGox phising websites, always check for HTTPS Post by: rme on May 29, 2013, 03:46:43 PM Hi,
hxxp://mtgox.de and hxxp://mtgox.org are SCAM websites. Do not download any EXE, they are virus. The original URL is https://mtgox.com (remember HTTPS and .COM). Proof of virus in .de and .org domains: hxxp://mtgox.de/MTGOX_Wallet.exe hxxp://mtgox.org/MTGOX_Wallet.exe PLEASE DO NOT EXECUTE THIS VIRUSES PLEASE REPORT THIS WEBSITE TO GOOGLE PHISING, THIS WAY IT WILL BE BLOCKED IN BROWSERS 1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en 2.- Write mtgox.org in the phising url field 3.- Write this in comments: "mtgox.org is a phising site of the real mtgox.com website". 1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en 2.- Write mtgox.de in the phising url field 3.- Write this in comments: "mtgox.de is a phising site of the real mtgox.com website". UPDATES: mtgox.de is now in the phising list (blocked by most browsers) new phising domain hxxp://mtgox.net new phising domain hxxp://mtgox.co.uk Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: escrow.ms on May 29, 2013, 03:50:07 PM Thanks for warning and yeah i have seen mtgox.de on google advertisement. :P
Looks like they are using adsense. http://img809.imageshack.us/img809/1222/lgt24d7.png Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: escrow.ms on May 29, 2013, 04:00:38 PM Well whois data of mtgox.de .net and .org is same.
and mtgox guys are acting dumb. https://twitter.com/c0k3in/statuses/339716874373849088 https://dazzlepod.com/ip/74.86.83.82/ who.is data of mtgox.de Domain holder: Christian Schmitz Address: Dr August Blank Str 7 Postal code: 51373 City: Leverkusen Country: DE Administrative contact The administrative contact (admin-c) is the natural person appointed by the domain holder to act as his/her authorized representative and who also has the duty towards DENIC of taking binding decisions in all matters concerning the domain mtgox.de. Name: Christian Schmitz Address: Dr August Blank Str 7 Postal code: 51373 City: Leverkusen Country: DE Technical contact The technical contact (tech-c) supports the domain mtgox.de with respect to technical aspects. Name: Martin Hetzner Organisation: Hetzner Online AG Address: Stuttgarter Strasse 1 Postal code: 91710 City: Gunzenhausen Country: DE Phone: +499831610061 Fax: +499831610062 E-mail: info@hetzner.de Zone administrator The zone administrator (zone-c) supports the name servers of the domain mtgox.de. Name: Martin Hetzner Organisation: Hetzner Online AG Address: Stuttgarter Strasse 1 Postal code: 91710 City: Gunzenhausen Country: DE Phone: +499831610061 Fax: +499831610062 E-mail: info@hetzner.de Technical data Name server: ns.second-ns.com Name server: ns1.your-server.de Name server: ns3.second-ns.de Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: escrow.ms on May 29, 2013, 04:18:48 PM Actually i checked source code and it's suspicious for sure.
Real mtgox http://pastie.org/7980108 mtgox.de http://pastie.org/7980104 Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: ivanc on May 29, 2013, 04:34:30 PM Did Mtgox confirm it was a scam?
I don't think they did. Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: The 4ner on May 29, 2013, 04:35:57 PM Either way it's good to know. Thanks for the heads up OP.
Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: OpenYourEyes on May 29, 2013, 04:41:24 PM Also report them here. https://www.badwarebusters.org/community/submit
Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: redtwitz on May 29, 2013, 04:50:35 PM Did Mtgox confirm it was a scam? I don't think they did. What's to confirm? The MtGox website says: Quote IMPORTANT: If you don't see a green bar in your browser URL input like the image below, you might be on a phishing website! Always be very careful of that when you login. (The fact that they haven't edited that part out of the phishing site is a nice touch.) If you submit the form, your username and password get sent to mtgox.de. That domain points to 74.86.83.82, which is a SoftLayer IP address. Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: The 4ner on May 29, 2013, 04:52:28 PM +1
Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: Fiyasko on May 29, 2013, 04:56:01 PM Thanks!, I reported the sites just as you suggested
I dont even use mtgox Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: Knecke on May 29, 2013, 04:57:50 PM I will report this person to the german police its a fraud attempt.
Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: ThatDGuy on May 29, 2013, 05:22:10 PM Reported - thanks for the quick documentation to make this easy!
Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: ivanc on May 29, 2013, 06:08:16 PM A few important things to understand:
- google fishing is not used by IE, Opera, Safari, etc. - the whois information is faked, so don't bother reporting the guy, you don't know him. - the green bar in the browser unfortunately doesn't mean much, as it's rather easy to get a EEV certificate for any domain for the "Mtgox Tibanne" name. The only thing of value is the domain name in your address bar. Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: rme on May 29, 2013, 06:34:34 PM Did Mtgox confirm it was a scam? I don't think they did. If you want to check it download this files (they are viruses): hxxp://mtgox.de/MTGOX_Wallet.exe hxxp://mtgox.org/MTGOX_Wallet.exe If you do not execute them you are fine. Your AV will notify that they are viruses. In 4 minutes I will upload the virus to virstotal. Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: rme on May 29, 2013, 06:45:46 PM UPDATES:
mtgox.de is now in the phising list (blocked by most browsers) new phising domain hxxp://mtgox.net new phising domain hxxp://mtgox.co.uk Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: rme on May 29, 2013, 07:11:45 PM omg, I accidently clicked mtgox.de today, but I closed it like in few seconds? Should i worry about it? Could I have virus by now? If you dont use Internet explorer and you do not downloaded any .exe you are fine. You can always run a virus check ;) Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: escrow.ms on May 29, 2013, 07:17:25 PM Did Mtgox confirm it was a scam? I don't think they did. If you want to check it download this files (they are viruses): hxxp://mtgox.de/MTGOX_Wallet.exe hxxp://mtgox.org/MTGOX_Wallet.exe If you do not execute them you are fine. Your AV will notify that they are viruses. In 4 minutes I will upload the virus to virstotal. Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis. Title: Re: Two new MtGox phising websites, always check for HTTPS Post by: rme on May 29, 2013, 07:34:33 PM Did Mtgox confirm it was a scam? I don't think they did. If you want to check it download this files (they are viruses): hxxp://mtgox.de/MTGOX_Wallet.exe hxxp://mtgox.org/MTGOX_Wallet.exe If you do not execute them you are fine. Your AV will notify that they are viruses. In 4 minutes I will upload the virus to virstotal. Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis. This zip contains the two MTGOX viruses: (CAUTION, VIRUS)http://xena.ww7.be/wsj/trojan.zip (CAUTION, VIRUS) https://malwr.com/submission/status/MTEwZDcyNTM2ZTYzNGVmYTljNTMwMDBkOWU0MTVkNzU/ https://www.virustotal.com/es/file/d262bb2faf6d0bcd7064e0b51509dbbca7c8c90ac97d4e07fc97e527fa915833/analysis/1369856227/ |