Bitcoin Forum
December 08, 2016, 06:02:58 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Beware: "mtgox" yubikey trojan/phishing email  (Read 2636 times)
Insti
Sr. Member
****
Offline Offline

Activity: 294


Firstbits: 1duzy


View Profile
November 19, 2011, 04:00:47 PM
 #1


I recently received an email claiming to be from mtgox (It most certainly isn't)

Quote
From: MtGox <noreply@mtgox.com>                                                 
Subject: Protect your Mt.Gox. account using Yubikey!                   
       
Protect your Mt.Gox. account using Yubikey!                                     
We have attached your own personal Yubikey.                                     
Download and install it.                                                       
Mt.Gox. Team

Content-Type: application/octet-stream; name="MtGoxYubikey.exe"

I've not been crazy enough to do anything with the exe file other than delete it.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
November 19, 2011, 04:43:46 PM
 #2

It's alarming that Mt. Gox doesn't even have SPF setup.

If email phishing is frequent, they should use SPF record to tell email service providers to reject all emails not from their IPs. This method is not fool-proof but at least most emails can go to spam instead of entering the inbox.


*.mtgox.com   CNAME   10 minutes      www.mtgox.com
mtgox.com   A   10 minutes      72.52.5.67 (Hollywood, FL, US)
mtgox.com   MX   10 minutes   1   aspmx.l.google.com
mtgox.com   MX   10 minutes   5   alt1.aspmx.l.google.com
mtgox.com   MX   10 minutes   5   alt2.aspmx.l.google.com
mtgox.com   MX   10 minutes   10   aspmx2.googlemail.com
mtgox.com   MX   10 minutes   10   aspmx3.googlemail.com
mtgox.com   MX   10 minutes   10   aspmx4.googlemail.com
mtgox.com   MX   10 minutes   10   aspmx5.googlemail.com
mtgox.com   NS   10 minutes      ns1.xta.net
mtgox.com   NS   10 minutes      ns2.xta.net
mtgox.com   SOA   10 minutes      ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600
mtgox.com   SOA   0 seconds      ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600
www.mtgox.com   A   10 minutes      72.52.5.81 (Hollywood, FL, US)

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
Tuxavant
Hero Member
*****
Offline Offline

Activity: 756


Bitcoin Mayor of Las Vegas


View Profile WWW
November 19, 2011, 04:49:26 PM
 #3

It's alarming that Mt. Gox doesn't even have SPF setup.

it's reassuring that the fraudsters think the target group of these kinds of attacks are stupid enough to fall for it.

Generation Bitcoin | G+ | FB | Bitcoins In Vegas | CoinBus.com | TOR Exit Operator 1MVTPATVCKBMfALRHJsXpHfKJu7GyL7nAc
ultramancool
Newbie
*
Offline Offline

Activity: 18


View Profile
November 19, 2011, 04:56:12 PM
 #4

If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
November 19, 2011, 04:57:36 PM
 #5

If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.

That's cool. I wanted to send you but I received this:

Quote
FILE DELETED

MtGoxYubikey.exe has been removed since it was found to match the FILE FILTER= ExchangeLabs File Filter List 1: <in> *.exe file filter.

:-(

Exchange is too secure.


Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
wareen
Millionaire
Hero Member
*****
Offline Offline

Activity: 742

bitcoin-austria.at


View Profile
November 19, 2011, 05:18:27 PM
 #6

If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.

Here you go:
http://www.mediafire.com/file/dbxcf58b5m8pm2c/MtGoxYubikey.rar

Password: thisisavirus

Have fun Smiley
foo
Sr. Member
****
Offline Offline

Activity: 409



View Profile
November 19, 2011, 07:44:18 PM
 #7

Argh! I've now received TEN of these, and they just keep coming.

EDIT: Thirteen now. Tongue

EDIT: 58, no wait, another one just arrived. 59 emails!

I know this because Tyler knows this.
gimme_bottles
Sr. Member
****
Offline Offline

Activity: 314



View Profile
November 19, 2011, 07:54:43 PM
 #8

If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.

without knowledge of malware, i bet they steal your wallet Smiley
just logigal, because nearly everyone using mtgox has a wallet stored on their computer. they're the perfect target

1Gk194CHEgFPbh8gEM7agMNRXeWkfw2Fv7
wareen
Millionaire
Hero Member
*****
Offline Offline

Activity: 742

bitcoin-austria.at


View Profile
November 19, 2011, 10:03:14 PM
 #9

Argh! I've now received TEN of these, and they just keep coming.

EDIT: Thirteen now. Tongue

EDIT: 58, no wait, another one just arrived. 59 emails!
How many Mt. Gox accounts did you have? Wink
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
November 19, 2011, 10:09:34 PM
 #10

Argh! I've now received TEN of these, and they just keep coming.

EDIT: Thirteen now. Tongue

EDIT: 58, no wait, another one just arrived. 59 emails!

I'm also receiving one every ~5 minutes even though I only have one MtGox account. (Now they're being discarded automatically, of course.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
November 19, 2011, 10:11:35 PM
 #11

Argh! I've now received TEN of these, and they just keep coming.

EDIT: Thirteen now. Tongue

EDIT: 58, no wait, another one just arrived. 59 emails!

I'm also receiving one every ~5 minutes even though I only have one MtGox account.

Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days?


@foo: Are you the dude making the dehydrated strawberries?

BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
November 19, 2011, 10:13:25 PM
 #12

Wasn't MtGox going to add a signed signature to his emails?




Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
foo
Sr. Member
****
Offline Offline

Activity: 409



View Profile
November 19, 2011, 10:14:54 PM
 #13

Argh! I've now received TEN of these, and they just keep coming.

EDIT: Thirteen now. Tongue

EDIT: 58, no wait, another one just arrived. 59 emails!

I'm also receiving one every ~5 minutes even though I only have one MtGox account.

Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days?
Seems like it. coexist.biz is the exploited server that's spamming, I'd send the owner an email, but their whois info is hidden.

@foo: Are you the dude making the dehydrated strawberries?
I have no idea what you are talking about.

I know this because Tyler knows this.
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
November 19, 2011, 10:18:49 PM
 #14

Argh! I've now received TEN of these, and they just keep coming.

EDIT: Thirteen now. Tongue

EDIT: 58, no wait, another one just arrived. 59 emails!

I'm also receiving one every ~5 minutes even though I only have one MtGox account.

Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days?
Seems like it. coexist.biz is the exploited server that's spamming, I'd send the owner an email, but their whois info is hidden.

@foo: Are you the dude making the dehydrated strawberries?
I have no idea what you are talking about.

https://bitcointalk.org/index.php?topic=52331

foo
Sr. Member
****
Offline Offline

Activity: 409



View Profile
November 19, 2011, 10:21:27 PM
 #15

http://www.catb.org/hacker-emblem/

I know this because Tyler knows this.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
November 19, 2011, 10:39:23 PM
 #16

I emailed leaseweb about it already. More complaints (to abuse@leaseweb.com ) wouldn't hurt, though.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Insti
Sr. Member
****
Offline Offline

Activity: 294


Firstbits: 1duzy


View Profile
November 19, 2011, 11:06:36 PM
 #17

I emailed leaseweb about it already. More complaints (to abuse@leaseweb.com ) wouldn't hurt, though.

The messages are still coming in. (to /dev/null at least)
I emailed a complaint.
ultramancool
Newbie
*
Offline Offline

Activity: 18


View Profile
November 20, 2011, 02:53:17 AM
 #18

Just wanted to give everyone an update - I got a copy of the executable. It was (very strangely) a 64 bit executable, autoit based. I picked it apart and learned that it sends all your coins to 13omHEevM54wA2jUjTTGs7wWTRj4UmP1XB, via automation of the bitcoin GUI. Decompiled source here: http://3d3.ca/pbY. It does not appear to do anything with a yubikey in reality. Tiny but amusing. Judging by block explorer this person hasn't been too successful unless there've been other addresses used too. I mean, I had to manually decode this base64 from the email and pick apart the 64 bit executable, so I have a feeling whoever wrote this malware wasn't too bright. No packing was used on the executable even.
jothan
Full Member
***
Offline Offline

Activity: 184


Feel the coffee, be the coffee.


View Profile
November 20, 2011, 03:35:40 AM
 #19

Just wanted to give everyone an update - I got a copy of the executable. It was (very strangely) a 64 bit executable, autoit based. I picked it apart and learned that it sends all your coins to 13omHEevM54wA2jUjTTGs7wWTRj4UmP1XB, via automation of the bitcoin GUI. Decompiled source here: http://3d3.ca/pbY. It does not appear to do anything with a yubikey in reality. Tiny but amusing. Judging by block explorer this person hasn't been too successful unless there've been other addresses used too. I mean, I had to manually decode this base64 from the email and pick apart the 64 bit executable, so I have a feeling whoever wrote this malware wasn't too bright. No packing was used on the executable even.

Is the address constant, is a different address buried in each executable ?

Bitcoin: the only currency you can store directly into your brain.

What this planet needs is a good 0.0005 BTC US nickel.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
November 20, 2011, 01:58:55 PM
 #20

Damn spamer! This is probably the dumbest phisher I'd ever came across.
Nevertheless my mobile provider must be happy, thanks to this bozo and his 1000+ resends of the same crap my mobile data plafond went down.  Angry
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!