Bitcoin Forum

Hello

I recently received a (relatively) sophisticated phishing attack via email. The payload seems to be a java root kit.

The email sender was labelled "Bitcoin.org", but the actual email was "no-replay@bitcoin.com". The subject read "The transaction has completed successfully."

Flag #1 - I have not made any Bitcoin transactions for over a week.

Flag #2 - "no-replay"

Flag #3 - Recently made email in question public on bitcointalk.org.

Flag #4 - Payload file name included last four digits of my SSN.

The message contents were as follows:

Online Payment Details https://www.bitcoin.org/Ref-XXXXXXXXXXXX (linked to http://[Suspicious link removed]/Bitcoin-transactionSSSS)

SSSS represents the last four digits of my SSN. This part concerns me the most, although linking of this email (my main public email) to my the last digits of SSN wouldn't be too difficult.

The transaction has completed successfully. The order number, for your customers reference is:Ref-XXXXXXXXXXXX-XXXXX.

Additional Payload info:

File: Bitcoin_transactionSSSS.jar

File type: Java JAR (226 Kb)

From: http://www.thedumps.ru

Definitely looks like malware, possibly coin-stealing. I'm interested to see if anyone with a spare offline machine they're willing to get "dirty" would have any luck decompiling this with a Java decompiler. I've never seen Java that can actually act as a full-system rootkit, at least without JNI.

In order to prevent such phishing scam from @bitcoin.com, blockchain.info would have to set clear DMARC, DKIM and SPF policies on their DNS:

https://dmarcian.com/dmarc-inspector/bitcoin.com

Who can I contact about this?

Try contacting blockchain.info (I dunno what's the best way, I just tried sending them a msg on reddit).

Can you privately send me a link to this java malware for me to analyze?

Once you are done analyzing, would you mind posting your findings here?

It depends on if OP has not deleted this phishing email(which I presume he has) and whether the bytecode class files in the .jar are obfuscated.

Note: Just got a reply from Mandrik @blockchain.info - so I guess they're aware of it now. Hopefully this will get fixed and spammers won't be able to send from this domain at the very least.

Very interesting.
Going to look into this as it is quite a problem if indeed what I think it is...

Just seeing this now...sorry guys...don't have a sandbox on the station I'm on...

I hate hackers / scammers.. I wish we could stop them all TOGETHER

*scammer-hackers

some of us "hackers" are the good guys  ;)

True I guess you have a point ;)

Seems to be an Adwind RAT.

https://www.virustotal.com/en/file/57cbdf0c996267be521d4442f02f8cfd57bf1ef8dbed0850faf59a3f35bcd1a0/analysis/1417615620/

This is what scares me. Phishing mails are no longer mass mailed in the hope that at least one in a million falls for it. They seem to be targeting specific individuals. We really have to be on our toes.

I get e-mails all the time saying someone sent 8 btc to my wallet and asking me to download a file with the transaction attached. I of course delete the attachment and the e-mail. Occasionally I launch a profanity laced reply but only when the mood hits me.

sad to see such a domain being abused.

agree