Bitcoin Forum

Bitcoin => Bitcoin Discussion => Topic started by: Truckfarmer on December 02, 2014, 10:54:59 PM



Title: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Truckfarmer on December 02, 2014, 10:54:59 PM
Hello

I recently received a (relatively) sophisticated phishing attack via email. The payload seems to be a java root kit.

The email sender was labelled "Bitcoin.org", but the actual email was "no-replay@bitcoin.com". The subject read "The transaction has completed successfully."

Flag #1 - I have not made any Bitcoin transactions for over a week.

Flag #2 - "no-replay"

Flag #3 - Recently made email in question public on bitcointalk.org.

Flag #4 - Payload file name included last four digits of my SSN.

The message contents were as follows:

Online Payment Details https://www.bitcoin.org/Ref-XXXXXXXXXXXX (linked to http://[Suspicious link removed]/Bitcoin-transactionSSSS)

SSSS represents the last four digits of my SSN. This part concerns me the most, although linking of this email (my main public email) to my the last digits of SSN wouldn't be too difficult.

The transaction has completed successfully. The order number, for your customers reference is:Ref-XXXXXXXXXXXX-XXXXX.

Additional Payload info:


File: Bitcoin_transactionSSSS.jar

File type: Java JAR (226 Kb)

From: http://www.thedumps.ru


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: hexafraction on December 02, 2014, 11:19:31 PM
Definitely looks like malware, possibly coin-stealing. I'm interested to see if anyone with a spare offline machine they're willing to get "dirty" would have any luck decompiling this with a Java decompiler. I've never seen Java that can actually act as a full-system rootkit, at least without JNI.

Hello

I recently received a (relatively) sophisticated phishing attack via email. The payload seems to be a java root kit.

The email sender was labelled "Bitcoin.org", but the actual email was "no-replay@bitcoin.com". The subject read "The transaction has completed successfully."

Flag #1 - I have not made any Bitcoin transactions for over a week.

Flag #2 - "no-replay"

Flag #3 - Recently made email in question public on bitcointalk.org.

Flag #4 - Payload file name included last four digits of my SSN.

The message contents were as follows:

Online Payment Details https://www.bitcoin.org/Ref-XXXXXXXXXXXX (linked to http://[Suspicious link removed]/Bitcoin-transactionSSSS)

SSSS represents the last four digits of my SSN. This part concerns me the most, although linking of this email (my main public email) to my the last digits of SSN wouldn't be too difficult.

The transaction has completed successfully. The order number, for your customers reference is:Ref-XXXXXXXXXXXX-XXXXX.

Additional Payload info:


File: Bitcoin_transactionSSSS.jar

File type: Java JAR (226 Kb)

From: http://www.thedumps.ru



Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: blockgenesis on December 03, 2014, 12:44:07 AM
In order to prevent such phishing scam from @bitcoin.com, blockchain.info would have to set clear DMARC, DKIM and SPF policies on their DNS:

https://dmarcian.com/dmarc-inspector/bitcoin.com


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Truckfarmer on December 03, 2014, 12:51:20 AM
Who can I contact about this?


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: blockgenesis on December 03, 2014, 12:56:42 AM
Who can I contact about this?

Try contacting blockchain.info (I dunno what's the best way, I just tried sending them a msg on reddit).


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Remember remember the 5th of November on December 03, 2014, 01:05:19 AM
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze?


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: hexafraction on December 03, 2014, 01:26:49 AM
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze?

Once you are done analyzing, would you mind posting your findings here?


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Remember remember the 5th of November on December 03, 2014, 01:34:17 AM
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze?

Once you are done analyzing, would you mind posting your findings here?
It depends on if OP has not deleted this phishing email(which I presume he has) and whether the bytecode class files in the .jar are obfuscated.


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: blockgenesis on December 03, 2014, 02:12:47 AM
Note: Just got a reply from Mandrik @blockchain.info - so I guess they're aware of it now. Hopefully this will get fixed and spammers won't be able to send from this domain at the very least.


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: segvec on December 03, 2014, 02:27:13 AM
Very interesting.
Going to look into this as it is quite a problem if indeed what I think it is...


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Truckfarmer on December 03, 2014, 04:27:09 AM
Just seeing this now...sorry guys...don't have a sandbox on the station I'm on...


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Magicman420 on December 03, 2014, 04:32:31 AM
I hate hackers / scammers.. I wish we could stop them all TOGETHER


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Truckfarmer on December 03, 2014, 04:44:39 AM
*scammer-hackers

some of us "hackers" are the good guys  ;)


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Magicman420 on December 03, 2014, 05:13:19 AM
*scammer-hackers

some of us "hackers" are the good guys  ;)

True I guess you have a point ;)


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: John (John K.) on December 03, 2014, 02:08:29 PM
Seems to be an Adwind RAT.

https://www.virustotal.com/en/file/57cbdf0c996267be521d4442f02f8cfd57bf1ef8dbed0850faf59a3f35bcd1a0/analysis/1417615620/


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: botany on December 04, 2014, 12:54:47 AM
Flag #4 - Payload file name included last four digits of my SSN.

This is what scares me. Phishing mails are no longer mass mailed in the hope that at least one in a million falls for it. They seem to be targeting specific individuals. We really have to be on our toes.


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: Ron~Popeil on December 04, 2014, 05:13:59 AM
I get e-mails all the time saying someone sent 8 btc to my wallet and asking me to download a file with the transaction attached. I of course delete the attachment and the e-mail. Occasionally I launch a profanity laced reply but only when the mood hits me.


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: CrackedLogic on December 04, 2014, 02:00:12 PM
sad to see such a domain being abused.


Title: Re: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here
Post by: AleCrypt0 on December 04, 2014, 10:42:16 PM
sad to see such a domain being abused.

agree