Bitcoin Forum

MOVED THREAD, could someone please sticky this for newbies and anyone else to be aware of?

Please post any phishing scams that you have seen related to bitcoin. I first started this thread to notify people of a blockchain.info phishing attempt, and the original post is below, and after other people started posting other phishing emails I decided to move it to beginners and help to help others to not fall victim to these scams. Always be careful, general tips are to check the original email sender, and whenever you click a link, check the URL at the top. Usually people say to check if there is a green lock, but I hate this rule. Anyone can buy a green lock for about 2$, so you have to click on the green look and make sure it is the website you are looking for.

ORIGINAL POST:

Today I received an email from "blockchain" saying my wallet will be locked, and I need to verify my account to unlock it. The email looks very similar to an email from blockchain.info, but I had NEVER got an email from blockchain like this so I instantly knew it wasn't from blockchain. I checked who its from, and the email was sent from: contact@blackchain.fo
I think theres a bot crawling these forums for email addresses.
This is what the email looks like:
https://i.imgur.com/A1r7pUH.png
If you click on the link, you are directed to a website that looks exactly like the blockchain.info wallet sign in page, but the URL is a lot different, and is easily noticeable. The URL was: http://www.blockchain.0800co.co.uk/en/wallet/login/62608fc635ceb5435bc2f7d51445ec89c8ba72da9a64bce2b398170e907a841200a28aee6c5e25d388a01a4c04c91f31/login.php?page=Login?token=7777772e626c6f636b636861696e2e30383030636f2e636f2e756bb9ef8a71b399cfafd89524da6fb5524f
Don't click on it please, and be VERY careful with emails from blockchain.info. I would reccomend adding contact@blackchain.fo to a blacklist or a spam list if your email provider has something like that.

Thanks for posting
A needed reminder that a single moment of inattention can cost us all dear!

No problem. I'll post again if I get another phishing attempt on my email. I also had one from  cavirtex.com, but that was a long time ago.

In the past week I've gotten identical "Invoice Payment Confirmation" emails from "Cloudhashing" and "Cointerra".

No text in the email -- just an attachment with a file called "invoice_772.jar"

Seems a phishing attempt too.

Same here, just received.
http://www.blockchain.0800co.co.uk/
ima gonna report dat site.

Wouldn't it be easy for someone to figure out who owned that url and charge him with conspiracy to hacking and stealing?

thanks for the information mate. :)

yes i received mail from blockchain.IMFO
not .INFO

damn almost got scam because of that ...info / imfo

Anyone into their senses and not drunk can notice the .co.uk

We can't even click on Home button :D

Someone get the registrar and report this. This should be stopped, many people will lose btc.

ALSO we very wary of blockchain.imfo... They started not long ago too...

Really ? blockchain.info is scam ? or blockchain.imfo ??
I need to careful about it .

I also got this,  I posted a thread about it in the trading discussion board.

I always double triple quadruple check. Paranoia crew.

Easy way to prevent phishing attacks like this is to hide your email address on your bitcointalk.org profile guy's

I too received fake invoice .JAR files from those two companies, but im a customer of both of those companies.  Are you ALSO a customer of those companies as well?  Or are they just random 'bitcoin related' companies being used to spoof the emails to try and get you to click the .jar files.

its annoying that my antivirus didnt pickup a threat in the .JAR file when there clearly is.  No doubt its something to assist in extracting bitcoins or private keys or something.

These people are cold as ice to scam in the name of such a backbone bitcoin website.

This is really much too common. You should always use common sense when clicking on links, regardless if you are involved in bitcoin or not.

Also guys a tip for the future, always be careful of the capital I in emails and links, it looks the exact same as a lowercase L and is almost impossible to spot if you don't check it.

I've reported to the registrar(123-reg.co.uk) but they refer me to the actual host, that is webfusion.com. Now I'm still waiting for reply. Feel free to spam them at abuse@webfusion.com :P

(I'm posting about the invoice jars in this thread because it's the only thread on bitcointalk that mentions it)

It's not just cloudhashing.com, it seems as though somebody got into the mailing servers (or at least spoofed them, but it looks legit) of various large/largish bitcoin websites, i got one from btc-e.

I got an email from both btc-e.com and cloudhashing.com with this invoice_772.jar

Actually, cloudhashing.com was invoice_773.jar

BTC-E:
http://u.cubeupload.com/Period/20140821131856.png
http://u.cubeupload.com/Period/20140821131911.png

Cloudhashing:
http://u.cubeupload.com/Period/20140821131946.png
http://u.cubeupload.com/Period/20140821132002.png

If somebody would like me to upload these jars somewhere so you can take a look at them, PM me and I'll send you a link.

Guys do you want to make an official phishing topic, to notify others? I can move this (I don't know what is a good subcategory for this).

I think this thread should go to Beginners & Help section since there too many newbies unaware (or even dont know) about this stuff.

Allright I think I will move it there and rename it something like "active phishing attempts" or something.

blockchain.info is the legit one.
You should bookmark the site, and never use a seemingly correct link you find in email to log in your account.

That is a good idea.
For those interested, you can also check https://blog.blockchain.com/security-alerts/ to find some more historical examples of phishing attempts. :)

Not that easy if the server is hosted abroad. It is hard make some countries cooperate with your justice.


Plus I guess the url was registered using fake data

hey guys, yesterday i clicked that jar file ( yes I am an Idiot). Good thing I have last line of defenses (2-Factor Authentication, encryption) on every coins related programs and websites. I deleted the file right away, but I am still worried something hidden program is still there on my pc. could you guys please help me how to scan and remove it? i ran anti-virus programs like malware bytes and AVG and they showed that file is "clean".  I am confused now. please help.

the best is that you run as well some registry cleaner to be sure !

Always keep an antivirus (I use avg) on a PC holding or transferring bitcoins. If you lose your bitcoins, your loss, whereas with a bank they usually refund any fraudulent transactions. ESPECIALLY if you are actually holding the bitcoin wallet on your harddrive, like bitcoin-qt. Never open any suspicious emails, and use common sense.

got that too funny stuff

I am paranoid, and I suggest you to format the hard disk after backing up the important files.

For anti-virus programs, they can't catch 100% of the malware.
But still it is good to have a good anti-virus program as they can probably catch 90% of the malware.

Thank you for posting this. We can all have those moments were we lose concentration for a few seconds and can accidentally click on something not realising but seeing posts like this is a stark reminder of just how bad things can be if we did and what do look out for.

Set a second password on your blockchain wallet. If a hacker gets your credentials they need this second password t actually get any money out.

I also got a Coindesk phishing attempt (http://99bitcoins.com/almost-got-scammed-alleged-coindesk/) and later on a CryptoCoinsNews phishing attempt (http://www.cryptocoinsnews.com/news/phishing-website-attempts-impersonate-cryptocoinsnews/2014/08/14).

Thanks for the info. The more the better, we gave to spread the word of all these scams.

i already got an email from blockchain after i open the link its look phising website

and i close that link :D

You should be fine. I don't think its possible for a website to directly infect you without downloading anything. Even if it looks like a phishing website I still open it so that I know how it looks. 

yeah i still open for 5 minutes to see how it looks :D
and the i close that link and delete the email from my email :D

haha me too, sometimes we want to know how the phising looks like  ;D
there are many types of phishing that used by the bad guys  :-\

Phishing is the problem that cannot be controlled.It's the huge threat for many people around the internet every now and then.And also many people doesn't know about it or by ignorance they become a victim of it and loose money.

The "From" header in an email is not authenticated in anyway.

These emails are being sent from compromised servers through the smtp.com email service.

Please forward the phishing email to abuse@smtp.com

The .jar file contains a packed (ie disguised) trojan.

Whoever is doing this is rapidly modifying their technique and constantly changing the packing format.

It takes about 2 weeks for major AV products to update their signatures each time the attacker updates it, which unfortunately makes them basically useless.

tl;dr dont execute email attachments ending in .jar antivirus cant help you with this one!

It is probably best to delete the email to avoid accidentally clicking on the click when you are less vigilant.

I personally always will manually type in "blockchain.info" into my browser but sometimes it will forget my identifier, so I go to my email, get a recent backup of my wallet and click on the link, if you have a random pishing link in your email you man accidentally click on it and actually enter your passwrod

Get a wallet prefix, I got one. You don't have to keep any identifier anywhere, you just go to blockchain.info/wallet/mywalletname and it will fill in the identifier for you if the computer is trusted, if not it sends an email to confirm the computer and you can either click on the link in the email, or reopen the site for security. I personally use it.

What if you don't have an email associated with your wallet? Will it let anyone who knows your prefix attempt to access your wallet? How does it know your computer is "trusted"

I saw people complaining about a phishing attempt on users on this forum too.

The person PM you, saying he has bad new or something, and post a link, that looks like a bitcointalk.org address, and if you click on that link, it prompts you to login. When you type in your username and password, your account is hacked.  >:(

Luckily, nobody wants a newbie account, like mine. ^smile^

Yup, you need to be careful with all the links in posts, PMs, or emails.
Double check if the hyperlink is leading to the right site before clicking it, and be extra careful with redirecting links.

I`ve been hacked with Phishing method on btc-e.com

Other than being careful with all the links, you should enable 2FA on every sites in which the feature is available (eg. Coinbase, Bitstamp, btc-e, blockchain.info, etc) as a second protection to your bitcoin.

blockchain.info has it by default I think. On new computers, or if it has been a while I have to check my email to re verify my wallet.

Wouldn't it be easy for someone to figure out who owned that url
and charge him with conspiracy to hacking and stealing?