Bitcoin Forum
May 26, 2018, 04:48:03 PM *
News: Latest stable version of Bitcoin Core: 0.16.0  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: MtGox spoof mail+site  (Read 2098 times)
kwukduck
Legendary
*
Offline Offline

Activity: 1942
Merit: 1000


View Profile
August 27, 2011, 03:31:06 PM
 #1

Just received an email from 'info@mtgox.com' with the news of 11-08-2011, a link in the message has the text of the mtgox newsletter link but truely links to:
hxxp://mtgox.tk/users/login

carefull if you got this email too.

14b8PdeWLqK3yi3PrNHMmCvSmvDEKEBh3E
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1527353283
Hero Member
*
Offline Offline

Posts: 1527353283

View Profile Personal Message (Offline)

Ignore
1527353283
Reply with quote  #2

1527353283
Report to moderator
EricJ2190
Full Member
***
Offline Offline

Activity: 134
Merit: 100


View Profile
August 27, 2011, 04:17:22 PM
 #2

Of interest from the email headers:
Code:
Return-Path: <fewfewef@xm33.hostsila.org>
Received: from xm33.hostsila.org (xm33.hostsila.org [194.28.87.253])
...
Received: from fewfewef by xm33.hostsila.org with local (Exim 4.69)
(envelope-from <fewfewef@xm33.hostsila.org>)

I sent off a quick message to the .TK abuse email letting them know about the issue.
helloworld
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250



View Profile
August 27, 2011, 04:18:16 PM
 #3

hxxp://mtgox.tk/users/login

Well, I tried that link just now and it redirects to a Romanian blog site on a .ro domain.

hxxp://www.niuzer.ro/Botosani/IMPRESIONANT-Testamentul-Reginiei-Maria-a-Romaniei-2637509.html?utm_source=twitterfeed&utm_medium=twitter
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 1012


Chief Scientist


View Profile WWW
August 27, 2011, 10:28:31 PM
 #4

I got a copy, too.  If you use gmail, use the 'Report phishing' function (in the Reply drop-down menu).

How often do you get the chance to work on a potentially world-changing project?
indio007
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
August 27, 2011, 10:35:43 PM
 #5

Oops I "accidently" entered a password.
U:Blowme
P:Gofuckyourself

My not just spam it with bogus account  info?
NothinG
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500



View Profile
August 28, 2011, 12:24:44 AM
 #6

Anyone heard of drive-by's?

dustintrammell
VIP
Full Member
*
Offline Offline

Activity: 153
Merit: 100



View Profile
August 28, 2011, 02:18:48 AM
 #7

Is there any indication that this is a widespread campaign among more than one Mt. Gox user, perhaps using the database leak data from the breach a while back, or are you the only recipient as far as you know?  I'm just wondering if this is more targeted spear-phishing or if they're casting a wider net...
Tasty Champa
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
August 28, 2011, 02:28:27 AM
 #8

could tell MagicalTux or someone over there about what fake info you reply with,
(just put in legit looking info)
then could use that to possibly identify them or at least block the addresses.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
August 28, 2011, 02:29:57 AM
 #9

could tell MagicalTux or someone over there about what fake info you reply with,
(just put in legit looking info)
then could use that to possibly identify them or at least block the addresses.

Already told him.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3038
Merit: 3148


View Profile
August 28, 2011, 03:26:16 AM
 #10

I submitted it to PhishTank:
http://www.phishtank.com/phish_detail.php?phish_id=1262006&frame=details
Vote for its confirmation if you have a PhishTank account.

HOWEYCOINS   ▮      Excitement and         ⭐  ● TWITTER  ● FACEBOOK   ⭐       
  ▮    guaranteed returns                 ●TELEGRAM                         
  ▮  of the travel industry
    ⭐  ●Ann Thread ●Instagram   ⭐ 
✅    U.S.Sec    ➡️
✅  approved!  ➡️
NothinG
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500



View Profile
August 28, 2011, 03:28:16 AM
 #11

I submitted it to PhishTank:
http://www.phishtank.com/phish_detail.php?phish_id=1262006&frame=details
Vote for its confirmation if you have a PhishTank account.

Seems they are lurkers...

theymos
Administrator
Legendary
*
Offline Offline

Activity: 3038
Merit: 3148


View Profile
August 28, 2011, 04:03:02 AM
 #12

Seems they are lurkers...

I think it's just difficult for PhishTank users unfamiliar with Bitcoin to decide whether this is a real site or a phish.

HOWEYCOINS   ▮      Excitement and         ⭐  ● TWITTER  ● FACEBOOK   ⭐       
  ▮    guaranteed returns                 ●TELEGRAM                         
  ▮  of the travel industry
    ⭐  ●Ann Thread ●Instagram   ⭐ 
✅    U.S.Sec    ➡️
✅  approved!  ➡️
NothinG
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500



View Profile
August 28, 2011, 04:30:06 AM
 #13

Seems they are lurkers...

I think it's just difficult for PhishTank users unfamiliar with Bitcoin to decide whether this is a real site or a phish.

Looks like we are winning.

EricJ2190
Full Member
***
Offline Offline

Activity: 134
Merit: 100


View Profile
August 28, 2011, 05:28:29 AM
 #14

I received a response from the hosting company from which the email originated stating that the account has been closed. Unfortunately, the phishing site itself seems to be hosted elsewhere (fwef33.tmweb.ru.)
Maged
Legendary
*
Offline Offline

Activity: 1260
Merit: 1004


View Profile
August 28, 2011, 06:52:26 AM
 #15

Looks like Firefox is blocking it now.  Smiley

helloworld
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250



View Profile
August 28, 2011, 07:39:10 AM
 #16

I received a response from the hosting company from which the email originated stating that the account has been closed. Unfortunately, the phishing site itself seems to be hosted elsewhere (fwef33.tmweb.ru.)

Am I the only person that got redirected to a Romanian blog? What's the problem if the link no longer goes to the phishing site?
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!