Starting a week ago I am receiving emails with .jar files claiming to be from different Bitcoin sites. They don't get detected as spam by any spam filter, the jar file is not detected as a virus. It seems they are sent to handpicked targets who actively work with crypto currency. The emails came from 3 different sources so far, 3 via smtp.com (already talked to them and they said they will look into it), and 2 via gmail.
I will be running the jar file in a virus testing sandbox to see what network connections it tries to make. Decompiling the jar didn't give much result since I believe it contains native binaries (for osx, windows and linux) that are run. If anyone else received and already tested these files please let me know what you found.
I have accounts at almost every exchange (including Mt.Gox, though my email was not in the gox account lists I found on the net) so it could be that my email leaked from one of those.
Anyone else experiencing these?
------------------ Headers and some content of the some emails received ------------------------
Delivered-To:
XXXXXXXXXX@gmail.comReceived: by 10.182.246.1 with SMTP id xs1csp217663obc;
Mon, 21 Apr 2014 12:12:32 -0700 (PDT)
Return-Path: <
khamashtaa@gmail.com>
Received-SPF: pass (google.com: domain of
khamashtaa@gmail.com designates 10.66.150.69 as permitted sender) client-ip=10.66.150.69
Authentication-Results: mr.google.com;
spf=pass (google.com: domain of
khamashtaa@gmail.com designates 10.66.150.69 as permitted sender) smtp.mail=khamashtaa@gmail.com;
dkim=pass header.i=@gmail.com
X-Received: from mr.google.com ([10.66.150.69])
by 10.66.150.69 with SMTP id ug5mr40109988pab.55.1398107551939 (num_hops = 1);
Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=snOLhcQ+SqxC85ZiOH580ss1veiwVqZSKyogNOl7fzY=;
b=DZiC6/fAEVa4BWD/4GBPyuEjKs1pVMMGiW9YzXdyP6tkxt8icqgmYz2PxPqf+l0YOX
+6BtdWGJQ7D3GUBKLfgFBVUCEl19R9OX4uoQMjhWthPhqfq+q/VLPgNxtHh2FPNtk6q9
9weGvhUn5U2ioRC7dmBAFtJdvKgCU/V8TZXK+A9NRlZDg7J4OQuYFJIclfT0f0FPW+T2
l086g3eRs5N8NCUT395o/z6QCh4j2p47VuMaM9Ld2Rn6Ib3k1jBHKct+/tQo31JD65FI
88Z+CzDiNVjWOEyR6m81BWnXcnpVnimoEAY/HxFOOxGicSQN0QnonCsVPs66nImCOcYi
Teeg==
MIME-Version: 1.0
X-Received: by 10.66.150.69 with SMTP id ug5mr40170349pab.55.1398107551483;
Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
Received: by 10.70.61.1 with HTTP; Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
Date: Mon, 21 Apr 2014 22:12:31 +0300
Message-ID: <CAKNkiXYQTAc_r+u3x-jfJj0hZF3FQ_bLYEd5rnrt_WoiwOYurw@mail.gmail.com>
Subject: Problem in the Market
From: ahmad khamashta <
khamashtaa@gmail.com>
To: undisclosed-recipients:;
Content-Type: multipart/mixed; boundary=047d7b6dc31ef77d1304f79247bb
Bcc:
XXXXXXXXXX@gmail.com--047d7b6dc31ef77d1304f79247bb
Content-Type: multipart/alternative; boundary=047d7b6dc31ef77d0f04f79247b9
--047d7b6dc31ef77d0f04f79247b9
Content-Type: text/plain; charset=UTF-8
*Hello, *
*I have Problem in my account , i try to buy all my XBT "122 Bitcoin"*
*buy when i need to process the order i got this error "attached"*
*Please i need answer or Solved for this problem ASAP*
*Thank you*
------------------------------------------------------------------------------------------------------------------------------------------------
Delivered-To:
XXXXXXXXXX@gmail.comReceived: by 10.182.246.1 with SMTP id xs1csp100488obc;
Mon, 28 Apr 2014 00:06:48 -0700 (PDT)
X-Received: by 10.68.240.99 with SMTP id vz3mr23458826pbc.93.1398668807684;
Mon, 28 Apr 2014 00:06:47 -0700 (PDT)
Return-Path: <
alewis@itbit.com>
Received: from mailer242.gate181.sl.smtp.com (mailer242.gate181.sl.smtp.com. [192.40.181.242])
by mx.google.com with ESMTP id qf5si9774988pac.211.2014.04.28.00.06.47
for <
XXXXXXXXX@gmail.com>;
Mon, 28 Apr 2014 00:06:47 -0700 (PDT)
Received-SPF: none (google.com:
alewis@itbit.com does not designate permitted sender hosts) client-ip=192.40.181.242;
Authentication-Results: mx.google.com;
spf=neutral (google.com:
alewis@itbit.com does not designate permitted sender hosts) smtp.mail=alewis@itbit.com;
dkim=pass header.i=@smtp.com
Return-Path: <
alewis@itbit.com>
X-MSFBL: aHNhaG1lZEBnbWFpbC5jb21AMTkyXzQwXzE4MV8yNDJAU2VuZEJsYXN0ZXJfMkA=
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; i=@smtp.com; t=1398668806;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=FsfC8XmgPRDRepb53Yb8HgKVlGjtEhsMC2Zsr4pvMGo=;
b=PYrnG1ZsdZweyzCBpvSTu9GZXCQu7pCZPrk3Izl2W/IYaUlRP8WxvAvb3vGUxdTb
X3/AzJ966SmS5GlHG3FDOnattTzpc0jPPCf8CwWH7uGHC3Nwt5V270YnKrlcff/X
Hs+uLvCNqR78MIhHwHb8h4XkgzfDV8G2MERKFMzmkj0=;
Received: from [216.55.179.130] ([216.55.179.130:58769] helo=216-55-179-130.dedicated.codero.net)
by sl-mta06.smtp.com (envelope-from <
alewis@itbit.com>)
(ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
id 55/1B-09095-50EFD535; Mon, 28 Apr 2014 07:06:46 +0000
From: "ItBit" <
alewis@itbit.com>
Message-ID: <55.1B.09095.50EFD535@sl-mta06>
Subject: ItBit Final Report
To: "XXXXXXX" <
XXXXXXXXX@gmail.com>
Content-Type: multipart/mixed; boundary="Si3q2MkLplfvSjo1bPsfGhL=_Zd1lqAOnT"
MIME-Version: 1.0
Organization: ItBit
Date: Mon, 28 Apr 2014 00:06:46 -0700
X-SMTPCOM-Tracking-Number: 49f61f3c-42d5-47a7-91ca-0631251aca4c
X-SMTPCOM-Sender-ID: 6001689
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to
abuse@smtp.comThis is a multi-part message in MIME format
--Si3q2MkLplfvSjo1bPsfGhL=_Zd1lqAOnT
Content-Type: multipart/alternative;
boundary="E3ds9G5Tm1O3h=_2A5t6vfIbwqcOc6GQmQ"
--E3ds9G5Tm1O3h=_2A5t6vfIbwqcOc6GQmQ
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BFHello,
We are sorry to late , we attach in this email all the information you=
need about your account with us.
if you have any qouestion please contact us again.
Thank you
Antony Lewis
Business Development
https://www.itbit.com |
alewis@itbit.com | +65 9296 4222
