Mtgox mail server hacked?[Spoofed phishing Email]

[hgamezoom]

Anyone received an email from info@mtgox.com today?



Dear MtGox Customers,

Please sign the papers attached, we can complete the process of closing the account and send you what the balance to another Wallet Address.

Sincerely,
Mark Karpeles
February 26th 2014

    Download Documents



The attachment is proved to be a trojan.

[1715580827]

1715580827

[1715580827]

1715580827

[01BTC10]

Email senders probably spoofed. Post the email header if know how.

If you can send me a sample of the malware, I would be interested to look at it.

[hgamezoom]

Received: from mailer223.gate181.sl.smtp.com (unknown [192.40.181.223])
   by mx46 (Coremail) with SMTP id YMCowEDp30d3Kg5TuhQ7Cw--.1133S2;
   Thu, 27 Feb 2014 01:55:05 +0800 (CST)
Return-Path: <info@mtgox.com>
X-MSFBL: aGdhbWV6b29tQDE2My5jb21AMTkyXzQwXzE4MV8yMjNATW9udGhseUA=
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
   q=dns/txt; i=@smtp.com; t=1393437303;
   h=From:Subject:To:Date:MIME-Version:Content-Type;
   bh=RlEPvQ2wTbC1TdI3QqtLGxBIs8vf6Ave71VYWUFsh9M=;
   b=ZvaSNdIH0AYf1HhC4Jh9y7Mpa2gwlhHpKQFMVJEC9ylCCaNOAVa2J72SKqiZ2GbN
   tUWIKRbbZB4dnhz3kZMDfBf9ISU3s+RpwKCs3cbiH3Lo1ajwMfEwPblkFFhDrQZV
   pPiRd0rudPIwzOLX6YWRwGokXA2fS2XL439o5e27G3g=;
Received: from [216.55.179.253] ([216.55.179.253:61709] helo=216-55-179-253.dedicated.codero.net)
   by sl-mta06.smtp.com (envelope-from <info@mtgox.com>)
   (ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
   id CD/91-28532-67A2E035; Wed, 26 Feb 2014 17:55:03 +0000
From: "info@mtgox.com" <info@mtgox.com>
Message-ID: <CD.91.28532.67A2E035@sl-mta06>
Subject: Dear MtGox Customers
To: "xxxx" <xxxx@163.com>
Content-Type: multipart/alternative; boundary="TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM"
MIME-Version: 1.0
Organization: info@mtgox.com
Date: Wed, 26 Feb 2014 10:54:11 -0700
X-SMTPCOM-Tracking-Number: b442d38f-0ed8-421a-bcd0-4fa0b12cbe4d
X-SMTPCOM-Sender-ID: 6004374
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to abuse@smtp.com
X-CM-TRANSID:YMCowEDp30d3Kg5TuhQ7Cw--.1133S2
Authentication-Results: mx46; spf=neutral smtp.mail=info@mtgox.com; dk
   im=pass header.i=@smtp.com
X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73
   VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxU4AR6UUUUU


This is a multi-part message in MIME format

--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=EF=BB=BFDear MtGox Customers,
Please sign the papers attached, we can complete the process of closin=
g the account and send you what the balance to another Wallet Address.=

Sincerely,
Mark Karpeles
February 26th 2014

    Download Documents


--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=EF=BB=BF<HTML><HEAD><TITLE></TITLE></HEAD>
<BODY>
<P>Dear MtGox Customers,</P>
<P>Please sign the papers attached, we can complete the process of clo=
sing the account and send you what the balance to another Wallet Addre=
ss.</P>
<P>Sincerely,<BR>Mark Karpeles<BR>February 26th 2014<BR><BR>&nbsp; &nb=
sp; <SPAN style=3D"COLOR: #000000"><STRONG><A href=3D"http://deseobc.c=
om/style/imports/mtgox/?PaperMtgox.pdf">Download Documents</A></STRONG=
></SPAN><STRONG></STRONG><BR><A href=3D"http://deseobc.com/style/impor=
ts/mtgox/?PaperMtgox.pdf"><IMG border=3D0 hspace=3D0 alt=3D"" src=3D"h=
ttp://deseobc.com/img/video/Untitled.jpg" align=3Dbottom></A></P></BOD=
Y></HTML>


--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM--

[hgamezoom]

The malware link is included, be careful openning it.

[LarryLiu]

The malware link is included, be careful openning it.

You don't need to hack their email server to send phishing emails such as this one.

[01BTC10]

This IP: 216.55.179.253 is probably not from MtGox. It is coming from the US. The link to the pdf is already not working.

[Massimo80]

This IP: 216.55.179.253 is probably not from MtGox. It is coming from the US. The link to the pdf is already not working.

That was actually not a PDF, but a .PIF file (note the "?" before the alleged file name, which triggered a server-side script that actually returned a completely different file).

[ole23]

It's been a boring day at work, so i thought i would help. The IP address 216.55.179.253 belongs to a company called Codero. Here is the website: www.codero.com‎ They are a hosting site and are known to host Spam servers as i found out here: http://www.forumpostersunion.com/showthread.php?t=22423
Here is their WhoIs info:

Code:

NetRange:       216.55.176.0 - 216.55.187.255
CIDR:           216.55.184.0/22, 216.55.176.0/21
OriginAS:       AS10316
NetName:        CODERO1999A
NetHandle:      NET-216-55-176-0-1
Parent:         NET-216-0-0-0-0
NetType:        Direct Allocation
RegDate:        1999-05-28
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-216-55-176-0-1

OrgName:        Codero
OrgId:          APHIN
Address:        5750 W. 95th St., Suite 300
City:           Overland Park
StateProv:      KS
PostalCode:     66207
Country:        US
RegDate:        2009-07-21
Updated:        2013-12-03
Ref:            http://whois.arin.net/rest/org/APHIN

OrgAbuseHandle: APHAB-ARIN
OrgAbuseName:   APH Abuse
OrgAbusePhone:  +1-866-226-3376 
OrgAbuseEmail:  abuse@codero.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/APHAB-ARIN

OrgTechHandle: ADA108-ARIN
OrgTechName:   APH DNS Administrator
OrgTechPhone:  +1-866-226-3376 
OrgTechEmail:  dns@codero.com
OrgTechRef:    http://whois.arin.net/rest/poc/ADA108-ARIN

If you notice this section here:

Received: from mailer223.gate181.sl.smtp.com (unknown [192.40.181.223])
   by mx46 (Coremail) with SMTP id YMCowEDp30d3Kg5TuhQ7Cw--.1133S2;
   Thu, 27 Feb 2014 01:55:05 +0800 (CST)

This tells me that the original was sent from the Ip to  mailer223.gate181.sl@smtp.com. Smtp.com is being used like a proxy server to get past Codero's spam filter. That would also explain why they had to use port: 61709 as seen here:

Received: from [216.55.179.253] ([216.55.179.253:61709] helo=216-55-179-253.dedicated.codero.net)

I know what you're thinking, what about the download? The truth, i cant look at it here at work, but can tell that it comes from http://deseobc.com/ and here is the Whois info for this site:

Code:

Domain Name: DESEOBC.COM
Registry Domain ID: 
Registrar WHOIS Server: whois.neubox.com
Registrar URL: http://neubox.com/
Updated Date: 10-Jul-2013
Creation Date: 11-Mar-2013
Registrar Registration Expiration Date: 11-Mar-2014
Registrar: NEUBOX Internet S.A. de C.V.
Registrar IANA ID: 1483
Registrar Abuse Contact Email: 
Registrar Abuse Contact Phone: +524448100982
Domain Status: clientTransferProhibited
Registry Registrant ID: NBX_24167807
Registrant Name: Mauricio Gaona Olivo
Registrant Organization: MS Consulting
Registrant Street: Iglesia 130   
Registrant City: Mexico
Registrant State/Province: Distrito Federal
Registrant Postal Code: 01900
Registrant Country: MX
Registrant Phone: +52.36156415
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: 
Registry Admin ID: NBX_24167807
Admin Name: Mauricio Gaona Olivo
Admin Organization: MS Consulting
Admin Street: Iglesia 130  
Admin City: Mexico
Admin State/Province: Distrito Federal
Admin Postal Code: 01900
Admin Country: MX
Admin Phone: +52.36156415
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: 
Registry Tech ID: NBX_24167807
Tech Name: Mauricio Gaona Olivo
Tech Organization: MS Consulting
Tech Street: Iglesia 130  
Tech City: Mexico
Tech State/Province: Distrito Federal
Tech Postal Code: 01900
Tech Country: MX
Tech Phone: +52.36156415
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: 
Name Server: ns143.neubox.net
Name Server: ns144.neubox.net

And all this matches up because the name on the Whois is the same name that is on the main page that says: "Powered by Mau Gaona." The lesson for today kids, If your going to try to steal from someone, don't sign the damn page hosting the download!

[TheMightyX]

Just got this email as well and obviously mtgox has made no mention of reparations so this seemed odd.
Also the fact that the file was hosted at a site other than mtgox.com was strange. They have their own servers, why not use them?
Thirdly the file redirection was the tipping point.
These people have lost enough money from mtgox and now we are going to rip them off of their local wallets?
Wow some people are just to fucking edgy for me.
When they say that money is the root of all evil this is what they mean.

[nitoniwatori]

I got it too i feel honored some how....

[bitcoinminer]

It should have been immediately obvious it was fake because it was a communication from Mt. Gox :-)

[norill]

It should have been immediately obvious it was fake because it was a communication from Mt. Gox :-)

rofl

but seriously, i would like to know where did they got my email address

[hobbes]

I get some spam from them, too. Seemingly Bitstamp eMails got leaked a while ago, too. (in addition to some older gox eMails): http://www.reddit.com/r/Bitcoin/comments/1zaqvy/bitstamp_email_list_used_to_spread_mtgox_malware/cfs21qr

Code:

X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to abuse@smtp.com

Somebody tried telling?

[Amitabh S]

does gmail/yahoo allow viewing headers? can we block smtp.com there?