Title: Beware: "mtgox" yubikey trojan/phishing email Post by: Insti on November 19, 2011, 04:00:47 PM I recently received an email claiming to be from mtgox (It most certainly isn't) Quote From: MtGox <noreply@mtgox.com> Subject: Protect your Mt.Gox. account using Yubikey! Protect your Mt.Gox. account using Yubikey! We have attached your own personal Yubikey. Download and install it. Mt.Gox. Team Content-Type: application/octet-stream; name="MtGoxYubikey.exe" I've not been crazy enough to do anything with the exe file other than delete it. Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: zhoutong on November 19, 2011, 04:43:46 PM It's alarming that Mt. Gox doesn't even have SPF setup.
If email phishing is frequent, they should use SPF record to tell email service providers to reject all emails not from their IPs. This method is not fool-proof but at least most emails can go to spam instead of entering the inbox. *.mtgox.com CNAME 10 minutes www.mtgox.com mtgox.com A 10 minutes 72.52.5.67 (Hollywood, FL, US) mtgox.com MX 10 minutes 1 aspmx.l.google.com mtgox.com MX 10 minutes 5 alt1.aspmx.l.google.com mtgox.com MX 10 minutes 5 alt2.aspmx.l.google.com mtgox.com MX 10 minutes 10 aspmx2.googlemail.com mtgox.com MX 10 minutes 10 aspmx3.googlemail.com mtgox.com MX 10 minutes 10 aspmx4.googlemail.com mtgox.com MX 10 minutes 10 aspmx5.googlemail.com mtgox.com NS 10 minutes ns1.xta.net mtgox.com NS 10 minutes ns2.xta.net mtgox.com SOA 10 minutes ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600 mtgox.com SOA 0 seconds ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600 www.mtgox.com A 10 minutes 72.52.5.81 (Hollywood, FL, US) Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: Tuxavant on November 19, 2011, 04:49:26 PM It's alarming that Mt. Gox doesn't even have SPF setup. it's reassuring that the fraudsters think the target group of these kinds of attacks are stupid enough to fall for it. Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: ultramancool on November 19, 2011, 04:56:12 PM If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.
Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: zhoutong on November 19, 2011, 04:57:36 PM If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy. That's cool. I wanted to send you but I received this: Quote FILE DELETED MtGoxYubikey.exe has been removed since it was found to match the FILE FILTER= ExchangeLabs File Filter List 1: <in> *.exe file filter. :-( Exchange is too secure. Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: wareen on November 19, 2011, 05:18:27 PM If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy. Here you go: http://www.mediafire.com/file/dbxcf58b5m8pm2c/MtGoxYubikey.rar (http://www.mediafire.com/file/dbxcf58b5m8pm2c/MtGoxYubikey.rar) Password: thisisavirus Have fun :) Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: foo on November 19, 2011, 07:44:18 PM Argh! I've now received TEN of these, and they just keep coming.
EDIT: Thirteen now. :P EDIT: 58, no wait, another one just arrived. 59 emails! Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: gimme_bottles on November 19, 2011, 07:54:43 PM If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy. without knowledge of malware, i bet they steal your wallet :) just logigal, because nearly everyone using mtgox has a wallet stored on their computer. they're the perfect target Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: wareen on November 19, 2011, 10:03:14 PM Argh! I've now received TEN of these, and they just keep coming. How many Mt. Gox accounts did you have? ;)EDIT: Thirteen now. :P EDIT: 58, no wait, another one just arrived. 59 emails! Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: theymos on November 19, 2011, 10:09:34 PM Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. :P EDIT: 58, no wait, another one just arrived. 59 emails! I'm also receiving one every ~5 minutes even though I only have one MtGox account. (Now they're being discarded automatically, of course.) Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: Matthew N. Wright on November 19, 2011, 10:11:35 PM Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. :P EDIT: 58, no wait, another one just arrived. 59 emails! I'm also receiving one every ~5 minutes even though I only have one MtGox account. Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days? @foo: Are you the dude making the dehydrated strawberries? Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: JusticeForYou on November 19, 2011, 10:13:25 PM Wasn't MtGox going to add a signed signature to his emails?
Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: foo on November 19, 2011, 10:14:54 PM Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. :P EDIT: 58, no wait, another one just arrived. 59 emails! I'm also receiving one every ~5 minutes even though I only have one MtGox account. Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days? @foo: Are you the dude making the dehydrated strawberries? I have no idea what you are talking about.Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: Matthew N. Wright on November 19, 2011, 10:18:49 PM Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. :P EDIT: 58, no wait, another one just arrived. 59 emails! I'm also receiving one every ~5 minutes even though I only have one MtGox account. Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days? @foo: Are you the dude making the dehydrated strawberries? I have no idea what you are talking about.https://bitcointalk.org/index.php?topic=52331 Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: foo on November 19, 2011, 10:21:27 PM @foo: Are you the dude making the dehydrated strawberries? I have no idea what you are talking about.Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: theymos on November 19, 2011, 10:39:23 PM I emailed leaseweb about it already. More complaints (to abuse@leaseweb.com ) wouldn't hurt, though.
Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: Insti on November 19, 2011, 11:06:36 PM I emailed leaseweb about it already. More complaints (to abuse@leaseweb.com ) wouldn't hurt, though. The messages are still coming in. (to /dev/null at least) I emailed a complaint. Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: ultramancool on November 20, 2011, 02:53:17 AM Just wanted to give everyone an update - I got a copy of the executable. It was (very strangely) a 64 bit executable, autoit based. I picked it apart and learned that it sends all your coins to 13omHEevM54wA2jUjTTGs7wWTRj4UmP1XB, via automation of the bitcoin GUI. Decompiled source here: http://3d3.ca/pbY (http://3d3.ca/pbY). It does not appear to do anything with a yubikey in reality. Tiny but amusing. Judging by block explorer this person hasn't been too successful unless there've been other addresses used too. I mean, I had to manually decode this base64 from the email and pick apart the 64 bit executable, so I have a feeling whoever wrote this malware wasn't too bright. No packing was used on the executable even.
Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: jothan on November 20, 2011, 03:35:40 AM Just wanted to give everyone an update - I got a copy of the executable. It was (very strangely) a 64 bit executable, autoit based. I picked it apart and learned that it sends all your coins to 13omHEevM54wA2jUjTTGs7wWTRj4UmP1XB, via automation of the bitcoin GUI. Decompiled source here: http://3d3.ca/pbY (http://3d3.ca/pbY). It does not appear to do anything with a yubikey in reality. Tiny but amusing. Judging by block explorer this person hasn't been too successful unless there've been other addresses used too. I mean, I had to manually decode this base64 from the email and pick apart the 64 bit executable, so I have a feeling whoever wrote this malware wasn't too bright. No packing was used on the executable even. Is the address constant, is a different address buried in each executable ? Title: Re: Beware: "mtgox" yubikey trojan/phishing email Post by: BCEmporium on November 20, 2011, 01:58:55 PM Damn spamer! This is probably the dumbest phisher I'd ever came across.
Nevertheless my mobile provider must be happy, thanks to this bozo and his 1000+ resends of the same crap my mobile data plafond went down. >:( |