|
Title: [BEWARE] Novacoin Phising Site! Post by: theDF on August 29, 2013, 11:28:25 PM I just got this PM
Hi, My Novacoin giveaway has began! I am a large holder in NVC and want to boost it's popularity. To do this I am offering the equivalent of 15$ in NVC for every person that gets the NovacoinQT wallet and sends me the newly made address. I will be doing this up to the one hundredth address I receive and depending on the results I get on the NVC market I will either continue or discontinue these giveaways. Please do not attempt to send me multiple addresses, I have my ways of finding out. After downloading the wallet send me a pm on here with your NVC address. Hope you realise the investment opportunity that is Novacoin! You can get the wallet from Novacoin.org Thanks be careful with the link, its go to novascoin.org instead of the real novacoin.org *link removed for safety Title: Re: Novacoin phising site Post by: frankenmint on August 29, 2013, 11:30:54 PM Same Guys I did too. Dont Fall for the greed on this one here. Whoislookup is pasted...clearly shows the site was registered yesterday.
Quote Access to .ORG WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain ID:D169540408-LROR Domain Name:NOVASCOIN.ORG Created On:28-Aug-2013 23:38:45 UTC Last Updated On:29-Aug-2013 17:55:53 UTC Expiration Date:28-Aug-2014 23:38:45 UTC Sponsoring Registrar:eNom, Inc. (R39-LROR) Title: Re: Novacoin phising site Post by: faetos on August 29, 2013, 11:31:51 PM Thanks for the heads up. I'm curious to see what the malware looks like via a cuckoo sandbox.
FYI - you may want to remove the hyperlink so no one clicks on it out of curiosity. I ran the site through Anubis and here is the report: http://anubis.iseclab.org/?action=result&task_id=1edafa42a570f2ab4f5c6d89c75cc353c Title: Re: Novacoin phising site Post by: cryptograd on August 30, 2013, 05:18:24 AM Just downloaded this and installed .exe
should i re install windows? luckily this isnt my main machine any idea what this .exe is? a key logger? a virus? spyware? Title: Re: Novacoin phising site Post by: JoeMattie on August 30, 2013, 05:28:17 AM Ran this on a fresh laptop under ap-isolation.
The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210) Then it sits listening to port 1640 I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched Title: Re: Novacoin phising site Post by: cryptograd on August 30, 2013, 05:31:47 AM Ran this on a fresh laptop under ap-isolation. The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210) Then it sits listening to port 1640 I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched so this would only affect individuals who have localized bitcoin wallets running on their machines? would it intercept the coin between nodes? are cloud based wallets affected at all? Title: Re: Novacoin phising site Post by: phillipsjk on August 30, 2013, 05:32:44 AM If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.
Without disassembling the software, we don't know what it does. There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords. Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know). Title: Re: Novacoin phising site Post by: theDF on August 30, 2013, 05:37:49 AM If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already. Without disassembling the software, we don't know what it does. There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords. Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know). So it waiting for the creator's command to do what the command is? could it be a multipurpose malware? Title: Re: Novacoin phising site Post by: b!z on August 30, 2013, 09:30:21 AM If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already. Without disassembling the software, we don't know what it does. There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords. Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know). So it waiting for the creator's command to do what the command is? could it be a multipurpose malware? could be remote access tool, some guys before were pulling off a giveaway scam and remote controlling pc + stealing coins manually if you opened the .exe, format your drive :-) Title: Re: [BEWARE] Novacoin Phising Site! Post by: Balthazar on August 30, 2013, 01:45:02 PM https://bitcointalk.org/index.php?topic=283973.msg3040804#msg3040804
Maybe I'll try to inspect this .exe later, but HDD formatting is the best solution at the moment. Title: Re: [BEWARE] Novacoin Phising Site! Post by: hacked1 on August 30, 2013, 04:46:41 PM I was hacked last night due to that spam private message directing you to novascoin.com
the url redirects to NOVAScoin... with an S instead of novacoin. The person successfully changed the password to my original forum handle "cryptograd" Moderators please help https://i.imgur.com/BpheZ5W.jpg Title: Re: [BEWARE] Novacoin Phising Site! Post by: minerpumpkin on August 30, 2013, 10:24:56 PM Just received the scam message from the hacked cryptograd account.
I've submitted an abuse report with sourceforge. Title: Re: [BEWARE] Novacoin Phising Site! Post by: monbux on August 30, 2013, 10:26:45 PM haha, just got their message loled so hard... is it a bought account?
Title: Re: Novacoin phising site Post by: PinkBatman on August 30, 2013, 10:46:34 PM Ran this on a fresh laptop under ap-isolation. The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210) Then it sits listening to port 1640 I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched so this would only affect individuals who have localized bitcoin wallets running on their machines? would it intercept the coin between nodes? are cloud based wallets affected at all? I just got the same PM from you cryptograd. Watch out. Title: Re: [BEWARE] Novacoin Phising Site! Post by: pedrog on August 30, 2013, 10:59:28 PM Shit, installed novacoin-qt for nothing...
novascoin.org has the same links to sourceforge as novacoin.org, how does our system gets compromised in this attack? Title: Re: [BEWARE] Novacoin Phising Site! Post by: Hekuro on August 31, 2013, 12:40:09 AM I just got this PM (from cryptograd) and opened the link, however I didn't download anything.
I'm using Google Chrome on Xubuntu 13.04. Is there some risk of my PC being infected now (probably not but better safe than sorry) ;) Title: Re: [BEWARE] Novacoin Phising Site! Post by: grums on August 31, 2013, 01:06:59 AM I also got a PM from cryptograd, (I believe his account has been hacked after installing the file) I downloaded the File but never installed it. Should I be worried? Or is it okay because I never installed the exe? Title: Re: [BEWARE] Novacoin Phising Site! Post by: smscotten on August 31, 2013, 01:42:45 AM Yeah, I got one from cryptograd too. I didn't even think to click the link, I just typed "novacoin" into my search bar and followed the link on the novacoin.org (no s) site to sourcesforge (kidding) and downloaded the qt client.
So I think I'm safe but if anyone gets any strange PMs from me… Title: Re: [BEWARE] Novacoin Phising Site! Post by: smscotten on August 31, 2013, 01:55:12 AM BTW, I joked about "sourcesforge" but the fake novaScoin dot org is a copy of the real site but with a link to sourceforge.net—it's a real (well, an actual fake) project on sourceforge.
So it wouldn't hurt to go to http://sourceforge.net/projects/novascoinqt/ and leave some reviews (edit to add: and abuse reports) so that unsuspecting visitors don't get duped. Title: Re: [BEWARE] Novacoin Phising Site! Post by: pedrog on August 31, 2013, 02:06:43 AM BTW, I joked about "sourcesforge" but the fake novaScoin dot org is a copy of the real site but with a link to sourceforge.net—it's a real (well, an actual fake) project on sourceforge. So it wouldn't hurt to go to http://sourceforge.net/projects/novascoinqt/ and leave some reviews so that unsuspecting visitors don't get duped. Oh, now I get it! The fake sf.net project link is in the big download button in the front page, I was checking the links in the "Installation" page, those are legit... Title: Re: [BEWARE] Novacoin Phising Site! Post by: Balthazar on August 31, 2013, 02:13:02 PM Shit, installed novacoin-qt for nothing... Links are not the same.novascoin.org has the same links to sourceforge as novacoin.org, how does our system gets compromised in this attack? sourceforge.net/projects/novascoinqt/files/ vs. sourceforge.net/projects/novacoin/files/ // I've sent file to Kaspersky Lab and DrWeb. Please report this file here newvirus@kaspersky.com https://vms.drweb.com/sendvirus/?lng=en http://www.symantec.com/security_response/submitsamples.jsp https://analysis.avira.com/ Title: Re: [BEWARE] Novacoin Phising Site! Post by: b!z on August 31, 2013, 02:21:35 PM Shit, installed novacoin-qt for nothing... Links are not the same.novascoin.org has the same links to sourceforge as novacoin.org, how does our system gets compromised in this attack? sourceforge.net/projects/novascoinqt/files/ vs. sourceforge.net/projects/novacoin/files/ // Sent file to Kaspersky Lab and DrWeb. Upload it using jotti and virustotal: it'll get detected by many AVs after a few hours. Title: Re: [BEWARE] Novacoin Phising Site! Post by: pedrog on August 31, 2013, 02:42:50 PM Shit, installed novacoin-qt for nothing... Links are not the same.novascoin.org has the same links to sourceforge as novacoin.org, how does our system gets compromised in this attack? sourceforge.net/projects/novascoinqt/files/ vs. sourceforge.net/projects/novacoin/files/ // I've sent file to Kaspersky Lab and DrWeb. Please report this file here newvirus@kaspersky.com https://vms.drweb.com/sendvirus/?lng=en http://www.symantec.com/security_response/submitsamples.jsp https://analysis.avira.com/ Yes, that link is in the front page. Linux user not affected! :) Title: Re: [BEWARE] Novacoin Phising Site! Post by: Balthazar on August 31, 2013, 03:01:51 PM Linux user not affected! :) Just because there are not so much linux users... ::)Title: Re: [BEWARE] Novacoin Phising Site! Post by: pedrog on August 31, 2013, 03:04:30 PM Linux user not affected! :) Just because there are not so much linux users... ::)Actually there are, they are called Android users. :) Title: Re: [BEWARE] Novacoin Phising Site! Post by: Balthazar on August 31, 2013, 03:57:37 PM Linux user not affected! :) Just because there are not so much linux users... ::)Actually there are, they are called Android users. :) Title: Re: [BEWARE] Novacoin Phising Site! Post by: zeta1 on August 31, 2013, 04:57:01 PM Got that mail as well. Stupid scammers.
Title: Re: [BEWARE] Novacoin Phising Site! Post by: Reaper3 on August 31, 2013, 05:11:32 PM It was the name novacoin with an S extra in the url. Beware!
Title: Re: [BEWARE] Novacoin Phising Site! Post by: whiskers75 on August 31, 2013, 05:24:16 PM LOL, I got one too from Jozzaboy.
Reported to admin. Nice try, but I don't even care about Novacoin. ;) Title: Re: [BEWARE] Novacoin Phising Site! Post by: Balthazar on August 31, 2013, 05:36:22 PM It seems that they are using victim accounts to send more PMs.
Title: Re: [BEWARE] Novacoin Phising Site! Post by: jozzaboy2 on August 31, 2013, 06:21:11 PM This is Jozzaboy. Unfortunately I've discovered my computer was infected with infected with DarkComet RAT. A remote control software. They have successfully gained access into my account, Jozzaboy and changed the email and password. Even attempted to get into my email without success.
If you downloaded that file, isolate the machine and scan it for all new .exe files since you downloaded it and run DarkComet RAT remover. Change any passwords you entered since the file was downloaded. Fucking virus and people who don't have anything better to do. Title: Re: [BEWARE] Novacoin Phising Site! Post by: romerun on September 01, 2013, 03:44:05 AM This NVC address is not generated from new client. Please download new client and generate another address to be qualified. Thanks what a scumbag. Title: Re: [BEWARE] Novacoin Phising Site! Post by: smscotten on September 01, 2013, 11:03:36 AM If nothing else, it looks as though sourceforge has taken down the novascoin "project." I'm guessing that I wasn't the only one to click the "report abuse" button on that page.
Title: Re: [BEWARE] Novacoin Phising Site! Post by: Balthazar on September 01, 2013, 12:11:37 PM https://www.phishtank.com/
http://www.mywot.com/ http://www.google.com/safebrowsing/report_phish/ Reported this site here. Title: Re: [BEWARE] Novacoin Phising Site! Post by: 2048-bit on September 14, 2013, 03:15:39 PM I sent the EXE to ClamAV.
"If nothing else, it looks as though sourceforge has taken down the novascoin "project." I'm guessing that I wasn't the only one to click the "report abuse" button on that page." I did, too. |
