Two new MtGox phising websites, always check for HTTPS

[rme]

Hi,
hxxp://mtgox.de and hxxp://mtgox.org are SCAM websites.
Do not download any EXE, they are virus.

The original URL is https://mtgox.com (remember HTTPS and .COM).

Proof of virus in .de and .org domains:
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

PLEASE DO NOT EXECUTE THIS VIRUSES


PLEASE REPORT THIS WEBSITE TO GOOGLE PHISING, THIS WAY IT WILL BE BLOCKED IN BROWSERS
1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en
2.- Write mtgox.org in the phising url field
3.- Write this in comments: "mtgox.org is a phising site of the real mtgox.com website".


1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en
2.- Write mtgox.de in the phising url field
3.- Write this in comments: "mtgox.de is a phising site of the real mtgox.com website".


UPDATES:
mtgox.de is now in the phising list (blocked by most browsers)
new phising domain hxxp://mtgox.net
new phising domain hxxp://mtgox.co.uk

[escrow.ms]

Thanks for warning and yeah i have seen mtgox.de on google advertisement.
Looks like they are using adsense.

[escrow.ms]

Well whois data of mtgox.de .net and .org is same.

and mtgox guys are acting dumb.  

https://twitter.com/c0k3in/statuses/339716874373849088


https://dazzlepod.com/ip/74.86.83.82/

who.is data of mtgox.de


Domain holder:   Christian Schmitz
Address:   Dr August Blank Str 7
Postal code:   51373
City:   Leverkusen
Country:   DE
Administrative contact

The administrative contact (admin-c) is the natural person appointed by the domain holder to act as his/her authorized representative and who also has the duty towards DENIC of taking binding decisions in all matters concerning the domain mtgox.de.
Name:   Christian Schmitz
Address:   Dr August Blank Str 7
Postal code:   51373
City:   Leverkusen
Country:   DE
Technical contact

The technical contact (tech-c) supports the domain mtgox.de with respect to technical aspects.
Name:   Martin Hetzner
Organisation:   Hetzner Online AG
Address:   Stuttgarter Strasse 1
Postal code:   91710
City:   Gunzenhausen
Country:   DE
Phone:   +499831610061
Fax:   +499831610062
E-mail:   info@hetzner.de
Zone administrator

The zone administrator (zone-c) supports the name servers of the domain mtgox.de.
Name:   Martin Hetzner
Organisation:   Hetzner Online AG
Address:   Stuttgarter Strasse 1
Postal code:   91710
City:   Gunzenhausen
Country:   DE
Phone:   +499831610061
Fax:   +499831610062
E-mail:   info@hetzner.de
Technical data
Name server:   ns.second-ns.com
Name server:   ns1.your-server.de
Name server:   ns3.second-ns.de

 

[escrow.ms]

Actually i checked source code and it's suspicious for sure.

Real mtgox
http://pastie.org/7980108

mtgox.de
http://pastie.org/7980104

[ivanc]

Did Mtgox confirm it was a scam?
I don't think they did.

[The 4ner]

Either way it's good to know. Thanks for the heads up OP.

[OpenYourEyes]

Also report them here. https://www.badwarebusters.org/community/submit

[redtwitz]

Did Mtgox confirm it was a scam?
I don't think they did.

What's to confirm?

The MtGox website says:

IMPORTANT: If you don't see a green bar in your browser URL input like the image below, you might be on a phishing website! Always be very careful of that when you login.

(The fact that they haven't edited that part out of the phishing site is a nice touch.)

If you submit the form, your username and password get sent to mtgox.de. That domain points to 74.86.83.82, which is a SoftLayer IP address.

[The 4ner]

+1

[Fiyasko]

Thanks!, I reported the sites just as you suggested
I dont even use mtgox

[Knecke]

I will report this person to the german police its a fraud attempt.

[ThatDGuy]

Reported - thanks for the quick documentation to make this easy!

[ivanc]

A few important things to understand:
- google fishing is not used by IE, Opera, Safari, etc.
- the whois information is faked, so don't bother reporting the guy, you don't know him.
- the green bar in the browser unfortunately doesn't mean much, as it's rather easy to get a EEV certificate for any domain for the "Mtgox Tibanne" name. The only thing of value is the domain name in your address bar.

[rme]

Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.

[rme]

UPDATES:
mtgox.de is now in the phising list (blocked by most browsers)
new phising domain hxxp://mtgox.net
new phising domain hxxp://mtgox.co.uk

[rme]

omg, I accidently clicked mtgox.de today, but I closed it like in few seconds? Should i worry about it? Could I have virus by now?

If you dont use Internet explorer and you do not downloaded any .exe you are fine.

You can always run a virus check 

[escrow.ms]

Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.

Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis.

[rme]

Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.

Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis.

This zip contains the two MTGOX viruses:
(CAUTION, VIRUS)http://xena.ww7.be/wsj/trojan.zip (CAUTION, VIRUS)

https://malwr.com/submission/status/MTEwZDcyNTM2ZTYzNGVmYTljNTMwMDBkOWU0MTVkNzU/
https://www.virustotal.com/es/file/d262bb2faf6d0bcd7064e0b51509dbbca7c8c90ac97d4e07fc97e527fa915833/analysis/1369856227/