Bitcoin Forum
June 21, 2024, 11:27:46 AM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Two new MtGox phising websites, always check for HTTPS  (Read 1731 times)
rme (OP)
Hero Member
*****
Offline Offline

Activity: 756
Merit: 504



View Profile
May 29, 2013, 03:46:43 PM
Last edit: May 29, 2013, 06:49:13 PM by rme
 #1

Hi,
hxxp://mtgox.de and hxxp://mtgox.org are SCAM websites.
Do not download any EXE, they are virus.

The original URL is https://mtgox.com (remember HTTPS and .COM).

Proof of virus in .de and .org domains:
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

PLEASE DO NOT EXECUTE THIS VIRUSES


PLEASE REPORT THIS WEBSITE TO GOOGLE PHISING, THIS WAY IT WILL BE BLOCKED IN BROWSERS
1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en
2.- Write mtgox.org in the phising url field
3.- Write this in comments: "mtgox.org is a phising site of the real mtgox.com website".


1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en
2.- Write mtgox.de in the phising url field
3.- Write this in comments: "mtgox.de is a phising site of the real mtgox.com website".


UPDATES:
mtgox.de is now in the phising list (blocked by most browsers)
new phising domain hxxp://mtgox.net
new phising domain hxxp://mtgox.co.uk
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
May 29, 2013, 03:50:07 PM
 #2

Thanks for warning and yeah i have seen mtgox.de on google advertisement. Tongue
Looks like they are using adsense.

escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
May 29, 2013, 04:00:38 PM
 #3

Well whois data of mtgox.de .net and .org is same.

and mtgox guys are acting dumb.  

https://twitter.com/c0k3in/statuses/339716874373849088


https://dazzlepod.com/ip/74.86.83.82/

who.is data of mtgox.de


Domain holder:   Christian Schmitz
Address:   Dr August Blank Str 7
Postal code:   51373
City:   Leverkusen
Country:   DE
Administrative contact

The administrative contact (admin-c) is the natural person appointed by the domain holder to act as his/her authorized representative and who also has the duty towards DENIC of taking binding decisions in all matters concerning the domain mtgox.de.
Name:   Christian Schmitz
Address:   Dr August Blank Str 7
Postal code:   51373
City:   Leverkusen
Country:   DE
Technical contact

The technical contact (tech-c) supports the domain mtgox.de with respect to technical aspects.
Name:   Martin Hetzner
Organisation:   Hetzner Online AG
Address:   Stuttgarter Strasse 1
Postal code:   91710
City:   Gunzenhausen
Country:   DE
Phone:   +499831610061
Fax:   +499831610062
E-mail:   info@hetzner.de
Zone administrator

The zone administrator (zone-c) supports the name servers of the domain mtgox.de.
Name:   Martin Hetzner
Organisation:   Hetzner Online AG
Address:   Stuttgarter Strasse 1
Postal code:   91710
City:   Gunzenhausen
Country:   DE
Phone:   +499831610061
Fax:   +499831610062
E-mail:   info@hetzner.de
Technical data
Name server:   ns.second-ns.com
Name server:   ns1.your-server.de
Name server:   ns3.second-ns.de

 

escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
May 29, 2013, 04:18:48 PM
 #4

Actually i checked source code and it's suspicious for sure.

Real mtgox
http://pastie.org/7980108

mtgox.de
http://pastie.org/7980104
ivanc
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
May 29, 2013, 04:34:30 PM
 #5

Did Mtgox confirm it was a scam?
I don't think they did.
The 4ner
aka newbitcoinqtuser
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


R.I.P Silk Road 1.0


View Profile
May 29, 2013, 04:35:57 PM
 #6

Either way it's good to know. Thanks for the heads up OP.
OpenYourEyes
Full Member
***
Offline Offline

Activity: 238
Merit: 100



View Profile
May 29, 2013, 04:41:24 PM
 #7

Also report them here. https://www.badwarebusters.org/community/submit

takemybitcoins.com: Spend a few seconds entering a merchants email address to encourage them to accept Bitcoin
PGP key | Bitmessage: BM-GuCA7CkQ8ojXSFGrREpMDuWgv495FUX7
redtwitz
Full Member
***
Offline Offline

Activity: 231
Merit: 100


View Profile
May 29, 2013, 04:50:35 PM
 #8

Did Mtgox confirm it was a scam?
I don't think they did.

What's to confirm?

The MtGox website says:

Quote
IMPORTANT: If you don't see a green bar in your browser URL input like the image below, you might be on a phishing website! Always be very careful of that when you login.

(The fact that they haven't edited that part out of the phishing site is a nice touch.)

If you submit the form, your username and password get sent to mtgox.de. That domain points to 74.86.83.82, which is a SoftLayer IP address.
The 4ner
aka newbitcoinqtuser
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


R.I.P Silk Road 1.0


View Profile
May 29, 2013, 04:52:28 PM
 #9

+1
Fiyasko
Legendary
*
Offline Offline

Activity: 1428
Merit: 1001


Okey Dokey Lokey


View Profile
May 29, 2013, 04:56:01 PM
 #10

Thanks!, I reported the sites just as you suggested
I dont even use mtgox

http://bitcoin-otc.com/viewratingdetail.php?nick=DingoRabiit&sign=ANY&type=RECV <-My Ratings
https://bitcointalk.org/index.php?topic=857670.0 GAWminers and associated things are not to be trusted, Especially the "mineral" exchange
Knecke
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile
May 29, 2013, 04:57:50 PM
 #11

I will report this person to the german police its a fraud attempt.
ThatDGuy
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
May 29, 2013, 05:22:10 PM
 #12

Reported - thanks for the quick documentation to make this easy!
ivanc
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
May 29, 2013, 06:08:16 PM
 #13

A few important things to understand:
- google fishing is not used by IE, Opera, Safari, etc.
- the whois information is faked, so don't bother reporting the guy, you don't know him.
- the green bar in the browser unfortunately doesn't mean much, as it's rather easy to get a EEV certificate for any domain for the "Mtgox Tibanne" name. The only thing of value is the domain name in your address bar.
rme (OP)
Hero Member
*****
Offline Offline

Activity: 756
Merit: 504



View Profile
May 29, 2013, 06:34:34 PM
 #14

Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.
rme (OP)
Hero Member
*****
Offline Offline

Activity: 756
Merit: 504



View Profile
May 29, 2013, 06:45:46 PM
 #15

UPDATES:
mtgox.de is now in the phising list (blocked by most browsers)
new phising domain hxxp://mtgox.net
new phising domain hxxp://mtgox.co.uk
rme (OP)
Hero Member
*****
Offline Offline

Activity: 756
Merit: 504



View Profile
May 29, 2013, 07:11:45 PM
 #16

omg, I accidently clicked mtgox.de today, but I closed it like in few seconds? Should i worry about it? Could I have virus by now?

If you dont use Internet explorer and you do not downloaded any .exe you are fine.

You can always run a virus check  Wink
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
May 29, 2013, 07:17:25 PM
 #17

Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.

Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis.
rme (OP)
Hero Member
*****
Offline Offline

Activity: 756
Merit: 504



View Profile
May 29, 2013, 07:34:33 PM
 #18

Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.

Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis.


This zip contains the two MTGOX viruses:
(CAUTION, VIRUS)http://xena.ww7.be/wsj/trojan.zip (CAUTION, VIRUS)

https://malwr.com/submission/status/MTEwZDcyNTM2ZTYzNGVmYTljNTMwMDBkOWU0MTVkNzU/
https://www.virustotal.com/es/file/d262bb2faf6d0bcd7064e0b51509dbbca7c8c90ac97d4e07fc97e527fa915833/analysis/1369856227/
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!