mtgoxx.tk phishing scam - Hold on to your Bitcoins!

[Mr.Bitcoin]

Maybe there's another post about this on the forum, but I couldn't find one.

I got this in an email:

Dear Mt.Gox user,

Your account will be blocked for violating the rules of exchange.
Details: https://www.mtgox.com/users/blocked

Thanks,
The Mt.Gox team

Really? I haven't traded anything on MtGox yet. Maybe Not trading is a violation!

From line reads: info@mtgox.com via xm33.hostsila.org
That's tip #1 it is a scam

Click the link in the email and it takes you to http://mtgooxx.tk/users/blocked
Big tip off #2... Really? TLD for Tokelau? Two xx's? Lame sauce.

Anyway, enter your account details and watch your Bitcoins disappear.
Mr. Btc.

[1714044412]

1714044412

[1714044412]

1714044412

[greyhawk]

Several of these have been going around with different destination URLs.

[ErgoOne]

I also got what I *think* was a legitimate warning about phishes from Mt. Gox.  Unfortunately I was sent from an IP that I couldn't connect via SPF, DKIM or rDNS to mtgox.com (the legitimate Mt. Gox domain).  If this was sent by Mt. Gox, they need to set up their outgoing email properly.  If not, then people need to be aware that some phishes do appear to be warnings about phishing sent by your bank or financial institution.  I didn't check this email carefully for a phish URL.

[m0w3r]

Can they get through the yubikey protection through phishing (i.e. even if I hypothetically foolishly enter my mtgox password)?

[theymos]

Can they get through the yubikey protection through phishing (i.e. even if I hypothetically foolishly enter my mtgox password)?

I would guess so, if you also enter the Yubikey code. (I am not very familiar with Yubikey's operation, though.)

[ErgoOne]

If Yubikey works anything like RSA SecureID does, then no, they couldn't break in without the key itself.  (At least not unless the whole Yubikey infrastructure had been compromised, which as best anyone knows, it has not.)

<security rant> 

HOWEVER....  You should *never* click a link in any email sent by any business to access their web site.   Unless you're technically sophisticated enough to check the source of an email (most people who don't run their own mail servers are not), you won't always be able to tell a phish from the real thing.  Instead, go to their home page from the URL you saved in your bookmarks, or type the web site URL into your browser's address box. 

You should also not discuss your financial information with somebody who calls you on the phone, even if that person claims to be from a bank, financial institution, or business you use unless you know the caller personally and can recognize their voice on the phone.  Instead, get their name, hang up, call 411 or look up the main phone number to that bank, call it, and ask for them.  When you call them, you know you're talking with somebody at the business and not some scammer who stole a database and got your private information. :/

</security rant>

[theymos]

Here's a PhishTank submission again:
http://www.phishtank.com/phish_detail.php?phish_id=1264644