kwukduck (OP)
Legendary
Offline
Activity: 1937
Merit: 1001
|
|
August 27, 2011, 03:31:06 PM |
|
Just received an email from ' info@mtgox.com' with the news of 11-08-2011, a link in the message has the text of the mtgox newsletter link but truely links to: hxxp://mtgox.tk/users/login carefull if you got this email too.
|
14b8PdeWLqK3yi3PrNHMmCvSmvDEKEBh3E
|
|
|
EricJ2190
|
|
August 27, 2011, 04:17:22 PM Last edit: August 28, 2011, 12:01:45 AM by EricJ2190 |
|
Of interest from the email headers: Return-Path: <fewfewef@xm33.hostsila.org> Received: from xm33.hostsila.org (xm33.hostsila.org [194.28.87.253]) ... Received: from fewfewef by xm33.hostsila.org with local (Exim 4.69) (envelope-from <fewfewef@xm33.hostsila.org>)
I sent off a quick message to the .TK abuse email letting them know about the issue.
|
|
|
|
helloworld
|
|
August 27, 2011, 04:18:16 PM |
|
hxxp://mtgox.tk/users/login
Well, I tried that link just now and it redirects to a Romanian blog site on a .ro domain. hxxp://www.niuzer.ro/Botosani/IMPRESIONANT-Testamentul-Reginiei-Maria-a-Romaniei-2637509.html?utm_source=twitterfeed&utm_medium=twitter
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2300
Chief Scientist
|
|
August 27, 2011, 10:28:31 PM |
|
I got a copy, too. If you use gmail, use the 'Report phishing' function (in the Reply drop-down menu).
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
indio007
|
|
August 27, 2011, 10:35:43 PM |
|
Oops I "accidently" entered a password. U:Blowme P:Gofuckyourself
My not just spam it with bogus account info?
|
|
|
|
NothinG
|
|
August 28, 2011, 12:24:44 AM |
|
Anyone heard of drive-by's?
|
|
|
|
dustintrammell
VIP
Full Member
Offline
Activity: 156
Merit: 103
Cleverly disguised as a responsible adult.
|
|
August 28, 2011, 02:18:48 AM |
|
Is there any indication that this is a widespread campaign among more than one Mt. Gox user, perhaps using the database leak data from the breach a while back, or are you the only recipient as far as you know? I'm just wondering if this is more targeted spear-phishing or if they're casting a wider net...
|
Dustin D. Trammell Twitter: @druidian PGP: E0DC F55C 9386 1691 A67F FB18 F6D9 5E52 FDA6 6E16
|
|
|
Tasty Champa
Member
Offline
Activity: 84
Merit: 10
|
|
August 28, 2011, 02:28:27 AM |
|
could tell MagicalTux or someone over there about what fake info you reply with, (just put in legit looking info) then could use that to possibly identify them or at least block the addresses.
|
|
|
|
SomeoneWeird
|
|
August 28, 2011, 02:29:57 AM |
|
could tell MagicalTux or someone over there about what fake info you reply with, (just put in legit looking info) then could use that to possibly identify them or at least block the addresses.
Already told him.
|
|
|
|
|
NothinG
|
|
August 28, 2011, 03:28:16 AM |
|
Seems they are lurkers...
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5334
Merit: 13302
|
|
August 28, 2011, 04:03:02 AM |
|
Seems they are lurkers...
I think it's just difficult for PhishTank users unfamiliar with Bitcoin to decide whether this is a real site or a phish.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
NothinG
|
|
August 28, 2011, 04:30:06 AM |
|
Seems they are lurkers...
I think it's just difficult for PhishTank users unfamiliar with Bitcoin to decide whether this is a real site or a phish. Looks like we are winning.
|
|
|
|
EricJ2190
|
|
August 28, 2011, 05:28:29 AM |
|
I received a response from the hosting company from which the email originated stating that the account has been closed. Unfortunately, the phishing site itself seems to be hosted elsewhere (fwef33.tmweb.ru.)
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
August 28, 2011, 06:52:26 AM |
|
Looks like Firefox is blocking it now.
|
|
|
|
helloworld
|
|
August 28, 2011, 07:39:10 AM |
|
I received a response from the hosting company from which the email originated stating that the account has been closed. Unfortunately, the phishing site itself seems to be hosted elsewhere (fwef33.tmweb.ru.)
Am I the only person that got redirected to a Romanian blog? What's the problem if the link no longer goes to the phishing site?
|
|
|
|
|