Bitcoin Forum
November 10, 2024, 04:28:40 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: [BEWARE] Novacoin Phising Site!  (Read 2904 times)
theDF (OP)
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
August 29, 2013, 11:28:25 PM
Last edit: August 30, 2013, 09:43:12 AM by theDF
 #1

I just got this PM

Hi,
My Novacoin giveaway has began! I am a large holder in NVC and want to boost it's popularity. To do this I am offering the equivalent of 15$ in NVC for every person that gets the NovacoinQT wallet and sends me the newly made address.

I will be doing this up to the one hundredth address I receive and depending on the results I get on the NVC market I will either continue or discontinue these giveaways. Please do not attempt to send me multiple addresses, I have my ways of finding out. After downloading the wallet send me a pm on here with your NVC address. Hope you realise the investment opportunity that is Novacoin!

You can get the wallet from Novacoin.org

Thanks

be careful with the link, its go to novascoin.org instead of the real novacoin.org

*link removed for safety
frankenmint
Legendary
*
Offline Offline

Activity: 1456
Merit: 1018


HoneybadgerOfMoney.com Weed4bitcoin.com


View Profile WWW
August 29, 2013, 11:30:54 PM
 #2

Same Guys I did too.  Dont Fall for the greed on this one here.  Whoislookup is pasted...clearly shows the site was registered yesterday.


Quote
   
Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the
Public Interest Registry registry database. The data in this record is provided by
Public Interest Registry for informational purposes only, and Public Interest Registry does
not
guarantee its accuracy.  This service is intended only for query-based
access. You agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to: (a) allow,
enable, or otherwise support the transmission by e-mail, telephone, or
facsimile of mass unsolicited, commercial advertising or solicitations
to entities other than the data recipient's own existing customers; or
(b) enable high volume, automated, electronic processes that send
queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or
modify existing registrations. All rights reserved. Public Interest Registry reserves
the right to modify these terms at any time. By submitting this query,
you agree to abide by this policy.

Domain ID:D169540408-LROR
Domain Name:NOVASCOIN.ORG
Created On:28-Aug-2013 23:38:45 UTC
Last Updated On:29-Aug-2013 17:55:53 UTC
Expiration Date:28-Aug-2014 23:38:45 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)

faetos
Hero Member
*****
Offline Offline

Activity: 744
Merit: 514

gotta let a coin be a coin


View Profile
August 29, 2013, 11:31:51 PM
Last edit: August 29, 2013, 11:57:34 PM by faetos
 #3

Thanks for the heads up. I'm curious to see what the malware looks like via a cuckoo sandbox.

FYI - you may want to remove the hyperlink so no one clicks on it out of curiosity.

I ran the site through Anubis and here is the report: http://anubis.iseclab.org/?action=result&task_id=1edafa42a570f2ab4f5c6d89c75cc353c

cryptograd
Member
**
Offline Offline

Activity: 112
Merit: 10



View Profile
August 30, 2013, 05:18:24 AM
 #4

Just downloaded this and installed .exe

should i re install windows?

luckily this isnt my main machine

any idea what this .exe is?

a key logger? a virus? spyware?

Liked something I said ->17ry6rrknqmQ2S1NRArzdrNMmG2Zk449AE
Most important bitcointalk post in history
https://bitcointalk.org/index.php?topic=120184.msg1381739#msg1381739
JoeMattie
Full Member
***
Offline Offline

Activity: 220
Merit: 100


View Profile
August 30, 2013, 05:28:17 AM
 #5

Ran this on a fresh laptop under ap-isolation.

The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)

Then it sits listening to port 1640

I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched


Bitrated user: AKQuaternion.
cryptograd
Member
**
Offline Offline

Activity: 112
Merit: 10



View Profile
August 30, 2013, 05:31:47 AM
 #6

Ran this on a fresh laptop under ap-isolation.

The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)

Then it sits listening to port 1640

I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched



so this would only affect individuals who have localized bitcoin wallets running on their machines?

would it intercept the coin between nodes?

are cloud based wallets affected at all?

Liked something I said ->17ry6rrknqmQ2S1NRArzdrNMmG2Zk449AE
Most important bitcointalk post in history
https://bitcointalk.org/index.php?topic=120184.msg1381739#msg1381739
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
August 30, 2013, 05:32:44 AM
 #7

If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.

Without disassembling the software, we don't know what it does.

There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.

Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
theDF (OP)
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
August 30, 2013, 05:37:49 AM
 #8

If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.

Without disassembling the software, we don't know what it does.

There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.

Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).

So it waiting for the creator's command to do what the command is?
could it be a multipurpose malware?
b!z
Legendary
*
Offline Offline

Activity: 1582
Merit: 1010



View Profile
August 30, 2013, 09:30:21 AM
 #9

If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.

Without disassembling the software, we don't know what it does.

There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.

Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).

So it waiting for the creator's command to do what the command is?
could it be a multipurpose malware?

could be remote access tool, some guys before were pulling off a giveaway scam and remote controlling pc + stealing coins manually

if you opened the .exe, format your drive :-)
Balthazar
Legendary
*
Offline Offline

Activity: 3108
Merit: 1359



View Profile
August 30, 2013, 01:45:02 PM
 #10

https://bitcointalk.org/index.php?topic=283973.msg3040804#msg3040804

Maybe I'll try to inspect this .exe later, but HDD formatting is the best solution at the moment.
hacked1
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
August 30, 2013, 04:46:41 PM
 #11

I was hacked last night due to that spam private message directing you to novascoin.com

the url redirects to NOVAScoin... with an S instead of novacoin.

The person successfully changed the password to my original forum handle "cryptograd"

Moderators please help

https://i.imgur.com/BpheZ5W.jpg
minerpumpkin
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


A pumpkin mines 27 hours a night


View Profile
August 30, 2013, 10:24:56 PM
 #12

Just received the scam message from the hacked cryptograd account.
I've submitted an abuse report with sourceforge.

I should have gotten into Bitcoin back in 1992...
monbux
Legendary
*
Offline Offline

Activity: 1736
Merit: 1029



View Profile WWW
August 30, 2013, 10:26:45 PM
 #13

haha, just got their message loled so hard... is it a bought account?
PinkBatman
Sr. Member
****
Offline Offline

Activity: 267
Merit: 250



View Profile
August 30, 2013, 10:46:34 PM
 #14

Ran this on a fresh laptop under ap-isolation.

The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)

Then it sits listening to port 1640

I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched



so this would only affect individuals who have localized bitcoin wallets running on their machines?

would it intercept the coin between nodes?

are cloud based wallets affected at all?

I just got the same PM from you cryptograd. Watch out.
pedrog
Legendary
*
Offline Offline

Activity: 2786
Merit: 1031



View Profile
August 30, 2013, 10:59:28 PM
 #15

Shit, installed novacoin-qt for nothing...

novascoin.org has the same links to sourceforge as novacoin.org, how does our system gets compromised in this attack?

Hekuro
Member
**
Offline Offline

Activity: 71
Merit: 10


View Profile
August 31, 2013, 12:40:09 AM
 #16

I just got this PM (from cryptograd) and opened the link, however I didn't download anything.
I'm using Google Chrome on Xubuntu 13.04. Is there some risk of my PC being infected now (probably not but better safe than sorry)  Wink
grums
Full Member
***
Offline Offline

Activity: 223
Merit: 100


View Profile
August 31, 2013, 01:06:59 AM
 #17


I also got a PM from cryptograd, (I believe his account has been hacked after installing the file)

I downloaded the File but never installed it. Should I be worried? Or is it okay because I never installed the exe?

Donations : BTC : 13Niw9YieHnEiuVxaVsFEAv4Hsomrs711u
                  LTC : LYaFDMTK5xSohBdBxbidqH9skzNAWFawhD
smscotten
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 31, 2013, 01:42:45 AM
 #18

Yeah, I got one from cryptograd too. I didn't even think to click the link, I just typed "novacoin" into my search bar and followed the link on the novacoin.org (no s) site to sourcesforge (kidding) and downloaded the qt client.

So I think I'm safe but if anyone gets any strange PMs from me…

smscotten
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 31, 2013, 01:55:12 AM
Last edit: August 31, 2013, 02:10:29 AM by smscotten
 #19

BTW, I joked about "sourcesforge" but the fake novaScoin dot org is a copy of the real site but with a link to sourceforge.net—it's a real (well, an actual fake) project on sourceforge.

So it wouldn't hurt to go to http://sourceforge.net/projects/novascoinqt/ and leave some reviews (edit to add: and abuse reports) so that unsuspecting visitors don't get duped.

pedrog
Legendary
*
Offline Offline

Activity: 2786
Merit: 1031



View Profile
August 31, 2013, 02:06:43 AM
 #20

BTW, I joked about "sourcesforge" but the fake novaScoin dot org is a copy of the real site but with a link to sourceforge.net—it's a real (well, an actual fake) project on sourceforge.

So it wouldn't hurt to go to http://sourceforge.net/projects/novascoinqt/ and leave some reviews so that unsuspecting visitors don't get duped.

Oh, now I get it!

The fake sf.net project link is in the big download button in the front page, I was checking the links in the "Installation" page, those are legit...

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!