Bitcoin Forum
December 07, 2016, 08:53:48 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: MtGox spoof mail+site  (Read 1938 times)
kwukduck
Legendary
*
Offline Offline

Activity: 1564


View Profile
August 27, 2011, 03:31:06 PM
 #1

Just received an email from 'info@mtgox.com' with the news of 11-08-2011, a link in the message has the text of the mtgox newsletter link but truely links to:
hxxp://mtgox.tk/users/login

carefull if you got this email too.

14b8PdeWLqK3yi3PrNHMmCvSmvDEKEBh3E
1481100828
Hero Member
*
Offline Offline

Posts: 1481100828

View Profile Personal Message (Offline)

Ignore
1481100828
Reply with quote  #2

1481100828
Report to moderator
1481100828
Hero Member
*
Offline Offline

Posts: 1481100828

View Profile Personal Message (Offline)

Ignore
1481100828
Reply with quote  #2

1481100828
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481100828
Hero Member
*
Offline Offline

Posts: 1481100828

View Profile Personal Message (Offline)

Ignore
1481100828
Reply with quote  #2

1481100828
Report to moderator
EricJ2190
Full Member
***
Offline Offline

Activity: 134


View Profile
August 27, 2011, 04:17:22 PM
 #2

Of interest from the email headers:
Code:
Return-Path: <fewfewef@xm33.hostsila.org>
Received: from xm33.hostsila.org (xm33.hostsila.org [194.28.87.253])
...
Received: from fewfewef by xm33.hostsila.org with local (Exim 4.69)
(envelope-from <fewfewef@xm33.hostsila.org>)

I sent off a quick message to the .TK abuse email letting them know about the issue.
helloworld
Full Member
***
Offline Offline

Activity: 182


View Profile
August 27, 2011, 04:18:16 PM
 #3

hxxp://mtgox.tk/users/login

Well, I tried that link just now and it redirects to a Romanian blog site on a .ro domain.

hxxp://www.niuzer.ro/Botosani/IMPRESIONANT-Testamentul-Reginiei-Maria-a-Romaniei-2637509.html?utm_source=twitterfeed&utm_medium=twitter

Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
August 27, 2011, 10:28:31 PM
 #4

I got a copy, too.  If you use gmail, use the 'Report phishing' function (in the Reply drop-down menu).

How often do you get the chance to work on a potentially world-changing project?
indio007
Full Member
***
Offline Offline

Activity: 210


View Profile
August 27, 2011, 10:35:43 PM
 #5

Oops I "accidently" entered a password.
U:Blowme
P:Gofuckyourself

My not just spam it with bogus account  info?
NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
August 28, 2011, 12:24:44 AM
 #6

Anyone heard of drive-by's?

dustintrammell
VIP
Full Member
*
Offline Offline

Activity: 153



View Profile
August 28, 2011, 02:18:48 AM
 #7

Is there any indication that this is a widespread campaign among more than one Mt. Gox user, perhaps using the database leak data from the breach a while back, or are you the only recipient as far as you know?  I'm just wondering if this is more targeted spear-phishing or if they're casting a wider net...
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 28, 2011, 02:28:27 AM
 #8

could tell MagicalTux or someone over there about what fake info you reply with,
(just put in legit looking info)
then could use that to possibly identify them or at least block the addresses.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
August 28, 2011, 02:29:57 AM
 #9

could tell MagicalTux or someone over there about what fake info you reply with,
(just put in legit looking info)
then could use that to possibly identify them or at least block the addresses.

Already told him.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
August 28, 2011, 03:26:16 AM
 #10

I submitted it to PhishTank:
http://www.phishtank.com/phish_detail.php?phish_id=1262006&frame=details
Vote for its confirmation if you have a PhishTank account.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
August 28, 2011, 03:28:16 AM
 #11

I submitted it to PhishTank:
http://www.phishtank.com/phish_detail.php?phish_id=1262006&frame=details
Vote for its confirmation if you have a PhishTank account.

Seems they are lurkers...

theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
August 28, 2011, 04:03:02 AM
 #12

Seems they are lurkers...

I think it's just difficult for PhishTank users unfamiliar with Bitcoin to decide whether this is a real site or a phish.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
August 28, 2011, 04:30:06 AM
 #13

Seems they are lurkers...

I think it's just difficult for PhishTank users unfamiliar with Bitcoin to decide whether this is a real site or a phish.

Looks like we are winning.

EricJ2190
Full Member
***
Offline Offline

Activity: 134


View Profile
August 28, 2011, 05:28:29 AM
 #14

I received a response from the hosting company from which the email originated stating that the account has been closed. Unfortunately, the phishing site itself seems to be hosted elsewhere (fwef33.tmweb.ru.)
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
August 28, 2011, 06:52:26 AM
 #15

Looks like Firefox is blocking it now.  Smiley

helloworld
Full Member
***
Offline Offline

Activity: 182


View Profile
August 28, 2011, 07:39:10 AM
 #16

I received a response from the hosting company from which the email originated stating that the account has been closed. Unfortunately, the phishing site itself seems to be hosted elsewhere (fwef33.tmweb.ru.)

Am I the only person that got redirected to a Romanian blog? What's the problem if the link no longer goes to the phishing site?

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!