BEWARE hackers sending email from mtgox account itself to hack your account

[dishwara]

IF YOU RECEIVE EMAILS FROM info@mtgox.com, be sure to check out it full form.
In Gmail, you will only see name in GREEN with hide details.
Until you click show details, you can't see email address.

2 days ago, i got email from mtgox that some one wants to reset my password.
I clicked the clink, but did nothing.
Then, i replied to mtgox that i didn't asked password reset request & also the request asked from an ip address which is in no way has connection with me.

I got reply from mail delivery subsystem, which MUST NOT happen.
coz, mail delivery subsystem replies ONLY, if the receiver email is not valid.
mtgox email address is valid.

I looked the email header using show details & found out this address *info@mtgox.com* <Mt.Gox@w001.mo.us.xta.net>

I also sent this email to info@mtgox.com, which is the real email of mtgox & they registered complaint & gave me a ticket.

SO IF YOU RECEIVE EMAIL FROM MTGOX OR ANY OTHER EXCHANGE OR SITE WHICH DEALS WITH MONEY, DO MORE THAN DOUBLE CHECK, CONFIRM THAT IT IS FROM GENUINE SITE BEFORE REPLYING.

Screenshot with hide & show details.






This is the email conversation



Forwarded conversation
Subject: [Mt.Gox] Password recovery
------------------------

From: *info@mtgox.com* <Mt.Gox@w001.mo.us.xta.net>
Date: Mon, Jun 27, 2011 at 7:33 AM
To: dishwara <dishwara@gmail.com>

Dear dishwara,

On Mon 27 Jun 2011 11:03:40 AM JST your asked for a password recovery.

If you didn't make this request yourself, you can inform us by replying to
this email. If you did, you can use the link below to have your password
reset.

Your login: xxxxxxxx

The password reset key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

https://claim.mtgox.com/forgot_login?login=xxxxxxxxx&password_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Best regards,
Mt.Gox team
info@mtgox.com

The request was made from:
IP: 188.165.193.7
Browser: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)

----------
From: *dishwara* <dishwara@gmail.com>
Date: Mon, Jun 27, 2011 at 12:17 PM
To: "info@mtgox.com" <Mt.Gox@w001.mo.us.xta.net>

Hi,

I confirm that I DID NOT REQUEST password reset.
The IP address IP: 188.165.193.7 is 100% fucking hacker/cracker IP.
Please block that IP.

Thank you for informing me & also asked to reply me confirming i didn't try
to reset password.
dishwara

----------
From: *Mail Delivery Subsystem* <mailer-daemon@googlemail.com>
Date: Tue, Jun 28, 2011 at 2:04 PM
To: dishwara@gmail.com

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:
Message will be retried for 2 more day(s)

Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at
http://mail.google.com/support/bin/answer.py?answer=7720
[w001.mo.us.xta.net (1): Connection refused]

----- Original message -----

MIME-Version: 1.0
Received: by 10.205.35.1 with SMTP id su1mr4005398bkb.129.1309157251194;
Sun,
26 Jun 2011 23:47:31 -0700 (PDT)
Received: by 10.204.78.78 with HTTP; Sun, 26 Jun 2011 23:47:31 -0700 (PDT)
In-Reply-To: <20110627020340.C13A6436191@w001.mo.us.xta.net>
References: <20110627020340.C13A6436191@w001.mo.us.xta.net>
Date: Mon, 27 Jun 2011 12:17:31 +0530
Message-ID: <BANLkTi=3791_C5VVJ1gd-BRaPHA1XM0eEA@mail.gmail.com>
Subject: Re: [Mt.Gox] Password recovery
From: dishwara <dishwara@gmail.com>
To: "info@mtgox.com" <Mt.Gox@w001.mo.us.xta.net>
Content-Type: multipart/alternative; boundary=bcaec52c64dfe9a0bf04a6abec17

[nhodges]

I think that's a real email, that's just a hostmask for a generic server, it looks like their mail functions aren't configured properly ... that link goes the real/valid claim address. Someone's just trying to recover your account.

[dishwara]

I think that's a real email, that's just a hostmask for a generic server, it looks like their mail functions aren't configured properly ... that link goes the real/valid claim address. Someone's just trying to recover your account.

You saying "Mt.Gox@w001.mo.us.xta.net" is genuine address & it belongs to mtgox ?

[nhodges]

I think that's a real email, that's just a hostmask for a generic server, it looks like their mail functions aren't configured properly ... that link goes the real/valid claim address. Someone's just trying to recover your account.

You saying "Mt.Gox@w001.mo.us.xta.net" is genuine address & it belongs to mtgox ?

servername@ip-##-###-##-###.ip.secureserver.net is what my mail server sends as if I do not properly configure mail headers in my code.

http://www.who.is/nameserver/ns1.xta.net/

Several legitimate Bitcoin websites use nameservers @ XTA.NET, namely bitcoincharts.com, which I believe is on the same servers as Mt. Gox. Due to the known poor coding we've seen @ Mt. Gox the past several weeks, I wouldn't put it past them to not properly configure mail headers.

I'm not saying this email is FOR SURE a real forgotten password EMAIL, I'm just saying it's DEFINITELY going to the correct "forgotten password" LINK.

All I'm saying is do your homework before you subject yourself and the masses to a culture of fear.

[ Edit: I pulled up their original email that they sent out informing users about their security breach, the email headers state the originating address to be the same one you posted, check it out: http://pastebin.com/PWdCpmbG ]

[dishwara]

All I'm saying is do your homework before you subject yourself and the masses to a culture of fear.
[ Edit: I pulled up their original email that they sent out informing users about their security breach, the email headers state the originating address to be the same one you posted, check it out: http://pastebin.com/PWdCpmbG ]

DON'T say i am causing fear.
Its not my fault for mtgox coding poorly & creating fear.
Due to their poor coding one security breach took down the site to almost a week.
Mtgox CREATES fear by poor coding , not me.

[nhodges]

All I'm saying is do your homework before you subject yourself and the masses to a culture of fear.
[ Edit: I pulled up their original email that they sent out informing users about their security breach, the email headers state the originating address to be the same one you posted, check it out: http://pastebin.com/PWdCpmbG ]

DON'T say i am causing fear.
Its not my fault for mtgox coding poorly & creating fear.
Due to their poor coding one security breach took down the site to almost a week.
Mtgox CREATES fear by poor coding , not me.

I'm not saying you're creating fear, I'm saying you're propagating a culture of fear by not doing proper fact-checking and running around like a chicken with its head cut off. :] No worries, you don't have to get offended, it seems we've established the truth here.

[dishwara]

I really don't know what to say.
While you "nhodges" tired to explain it is genuine only, but mtgox send a reply to my ticket which is complete BS.
As i didn't receive any attachments with my email from mtHOX, still mtHOX replied me not to open the rar file.

I am really confused now & searched for the rar file for 30 minutes & come to conclusion that mtgox getting worst than DISHWARA.

Code:

[Mt.Gox Support Desk] Re: Mtgox account HACKING emails from mtgox itself. (ticket #5521) 						
Inbox
X						 
Reply
	from	zendesk@mtgox.com
sender-time	Sent at 7:32 AM (UTC). Current time there: 8:26 PM. ✆
reply-to	"Mt.Gox Support Desk" <info@mtgox.com>
to	dishwara <dishwara@gmail.com>
date	Wed, Jun 29, 2011 at 7:32 AM
subject	[Mt.Gox Support Desk] Re: Mtgox account HACKING emails from mtgox itself. (ticket #5521)
hide details 7:32 AM (18 hours ago)
## Please do not write below this line ##
Ticket #5521: Mtgox account HACKING emails from mtgox itself. 
Your request (#5521) has been deemed solved.

To review, comment and reopen the request, follow the link below: 
http://support.mtgox.com/tickets/5521 


charlie, Jun-29 11:02 (JST):
Hello,

The email you forwarded was not sent by the Mt.Gox team. We see that a .rar file was sent with the email. Did you open it? If you not have not opened it, please *do not* open the file. The .exe inside the file likely has a virus/trojan/keylogger that was made to steal your personal information.

If you have already clicked it, please disconnect your computer from the internet immediately and take your computer to someone who has experience removing computer viruses.

Thanks,

MtGox.com Team


dishwara, Jun-28 21:06 (JST):
Hi,

I got email from mtgox, you 2 days ago, that some one is trying to reset my
password.
I thought it is from mtgox as it says "info@mtgox.com" in GREEN letter in
gmail.
I replied to that mail that i didn't ask to reset & block the ip address.
You can find everything below.
Now today i got email from mail delivery sub system that my email can't
delivered as the address not exists.
Then i looked at the address & it is info@mtgox.com" <
Mt.Gox@w001.mo.us.xta.net>

So, in front HACKERS giving name as info@mtgox.com & email address some
other, seems hacker email, to hack user accounts.

Please take necessary action ASAP.

Thank you,
dishwara


Forwarded conversation
Subject: [Mt.Gox] Password recovery
------------------------

From: *info@mtgox.com* <Mt.Gox@w001.mo.us.xta.net>
Date: Mon, Jun 27, 2011 at 7:33 AM
To: dishwara <dishwara@gmail.com>


Dear dishwara,

On Mon 27 Jun 2011 11:03:40 AM JST your asked for a password recovery.

If you didn't make this request yourself, you can inform us by replying to
this email. If you did, you can use the link below to have your password
reset.

Your login: xxxxxxxxxxxx

The password reset key:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

https://claim.mtgox.com/forgot_login?login=xxxxxxx&password_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 


Best regards,
Mt.Gox team
info@mtgox.com


The request was made from:
IP: 188.165.193.7
Browser: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)

----------
From: *dishwara* <dishwara@gmail.com>
Date: Mon, Jun 27, 2011 at 12:17 PM
To: "info@mtgox.com" <Mt.Gox@w001.mo.us.xta.net>


Hi,

I confirm that I DID NOT REQUEST password reset.
The IP address IP: 188.165.193.7 is 100% fucking hacker/cracker IP.
Please block that IP.

Thank you for informing me & also asked to reply me confirming i didn't try
to reset password.
dishwara

----------
From: *Mail Delivery Subsystem* <mailer-daemon@googlemail.com>
Date: Tue, Jun 28, 2011 at 2:04 PM
To: dishwara@gmail.com


This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:
Message will be retried for 2 more day(s)

Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at
http://mail.google.com/support/bin/answer.py?answer=7720
[w001.mo.us.xta.net  (1): Connection refused]

----- Original message -----

MIME-Version: 1.0
Received: by 10.205.35.1 with SMTP id su1mr4005398bkb.129.1309157251194;
Sun,
26 Jun 2011 23:47:31 -0700 (PDT)
Received: by 10.204.78.78 with HTTP; Sun, 26 Jun 2011 23:47:31 -0700 (PDT)
In-Reply-To: <20110627020340.C13A6436191@w001.mo.us.xta.net>
References: <20110627020340.C13A6436191@w001.mo.us.xta.net>
Date: Mon, 27 Jun 2011 12:17:31 +0530
Message-ID: <BANLkTi=3791_C5VVJ1gd-BRaPHA1XM0eEA@mail.gmail.com>
Subject: Re: [Mt.Gox] Password recovery
From: dishwara <dishwara@gmail.com>
To: "info@mtgox.com" <Mt.Gox@w001.mo.us.xta.net>
Content-Type: multipart/alternative; boundary=bcaec52c64dfe9a0bf04a6abec17

This email is a service from Mt.Gox Support Desk