Insti (OP)
Sr. Member
Offline
Activity: 294
Merit: 252
Firstbits: 1duzy
|
|
November 19, 2011, 04:00:47 PM |
|
I recently received an email claiming to be from mtgox (It most certainly isn't) From: MtGox < noreply@mtgox.com> Subject: Protect your Mt.Gox. account using Yubikey! Protect your Mt.Gox. account using Yubikey! We have attached your own personal Yubikey. Download and install it. Mt.Gox. Team Content-Type: application/octet-stream; name="MtGoxYubikey.exe" I've not been crazy enough to do anything with the exe file other than delete it.
|
|
|
|
|
|
|
|
"This isn't the kind of software where we can leave so many unresolved bugs that we need a tracker for them." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
zhoutong
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
November 19, 2011, 04:43:46 PM |
|
It's alarming that Mt. Gox doesn't even have SPF setup. If email phishing is frequent, they should use SPF record to tell email service providers to reject all emails not from their IPs. This method is not fool-proof but at least most emails can go to spam instead of entering the inbox. *.mtgox.com CNAME 10 minutes www.mtgox.commtgox.com A 10 minutes 72.52.5.67 (Hollywood, FL, US) mtgox.com MX 10 minutes 1 aspmx.l.google.com mtgox.com MX 10 minutes 5 alt1.aspmx.l.google.com mtgox.com MX 10 minutes 5 alt2.aspmx.l.google.com mtgox.com MX 10 minutes 10 aspmx2.googlemail.com mtgox.com MX 10 minutes 10 aspmx3.googlemail.com mtgox.com MX 10 minutes 10 aspmx4.googlemail.com mtgox.com MX 10 minutes 10 aspmx5.googlemail.com mtgox.com NS 10 minutes ns1.xta.net mtgox.com NS 10 minutes ns2.xta.net mtgox.com SOA 10 minutes ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600 mtgox.com SOA 0 seconds ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600 www.mtgox.com A 10 minutes 72.52.5.81 (Hollywood, FL, US)
|
|
|
|
Tuxavant
|
|
November 19, 2011, 04:49:26 PM |
|
It's alarming that Mt. Gox doesn't even have SPF setup.
it's reassuring that the fraudsters think the target group of these kinds of attacks are stupid enough to fall for it.
|
|
|
|
ultramancool
Newbie
Offline
Activity: 18
Merit: 0
|
|
November 19, 2011, 04:56:12 PM |
|
If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.
|
|
|
|
zhoutong
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
November 19, 2011, 04:57:36 PM |
|
If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy. That's cool. I wanted to send you but I received this: FILE DELETED
MtGoxYubikey.exe has been removed since it was found to match the FILE FILTER= ExchangeLabs File Filter List 1: <in> *.exe file filter. :-( Exchange is too secure.
|
|
|
|
wareen
Millionaire
Legendary
Offline
Activity: 910
Merit: 1001
Revolutionizing Brokerage of Personal Data
|
|
November 19, 2011, 05:18:27 PM |
|
If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy. Here you go: http://www.mediafire.com/file/dbxcf58b5m8pm2c/MtGoxYubikey.rarPassword: thisisavirus Have fun
|
|
|
|
foo
|
|
November 19, 2011, 07:44:18 PM Last edit: November 19, 2011, 09:29:56 PM by foo |
|
Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. EDIT: 58, no wait, another one just arrived. 59 emails!
|
I know this because Tyler knows this.
|
|
|
gimme_bottles
|
|
November 19, 2011, 07:54:43 PM |
|
If anyone gets a copy of this exe, please PM me on the forum or email me at ultramancool@gmail.com. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy. without knowledge of malware, i bet they steal your wallet just logigal, because nearly everyone using mtgox has a wallet stored on their computer. they're the perfect target
|
|
|
|
wareen
Millionaire
Legendary
Offline
Activity: 910
Merit: 1001
Revolutionizing Brokerage of Personal Data
|
|
November 19, 2011, 10:03:14 PM |
|
Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. EDIT: 58, no wait, another one just arrived. 59 emails! How many Mt. Gox accounts did you have?
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5194
Merit: 12983
|
|
November 19, 2011, 10:09:34 PM |
|
Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. EDIT: 58, no wait, another one just arrived. 59 emails! I'm also receiving one every ~5 minutes even though I only have one MtGox account. (Now they're being discarded automatically, of course.)
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
Matthew N. Wright
Untrustworthy
Hero Member
Offline
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
|
|
November 19, 2011, 10:11:35 PM |
|
Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. EDIT: 58, no wait, another one just arrived. 59 emails! I'm also receiving one every ~5 minutes even though I only have one MtGox account. Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days? @foo: Are you the dude making the dehydrated strawberries?
|
|
|
|
JusticeForYou
VIP
Sr. Member
Offline
Activity: 490
Merit: 271
|
|
November 19, 2011, 10:13:25 PM |
|
Wasn't MtGox going to add a signed signature to his emails?
|
|
|
|
. ..1xBit.com Super Six.. | ▄█████████████▄ ████████████▀▀▀ █████████████▄ █████████▌▀████ ██████████ ▀██ ██████████▌ ▀ ████████████▄▄ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ▀██████████████ | ███████████████ █████████████▀ █████▀▀ ███▀ ▄███ ▄ ██▄▄████▌ ▄█ ████████ ████████▌ █████████ ▐█ ██████████ ▐█ ███████▀▀ ▄██ ███▀ ▄▄▄█████ ███ ▄██████████ ███████████████ | ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ ███████████▀▀▀█ ██████████ ███████████▄▄▄█ ███████████████ ███████████████ ███████████████ ███████████████ ███████████████ | ▄█████ ▄██████ ▄███████ ▄████████ ▄█████████ ▄██████████ ▄███████████ ▄████████████ ▄█████████████ ▄██████████████ ▀▀███████████ ▀▀███████ ▀▀██▀ | ▄▄██▌ ▄▄███████ █████████▀ ▄██▄▄▀▀██▀▀ ▄██████ ▄▄▄ ███████ ▄█▄ ▄ ▀██████ █ ▀█ ▀▀▀ ▄ ▀▄▄█▀ ▄▄█████▄ ▀▀▀ ▀████████ ▀█████▀ ████ ▀▀▀ █████ █████ | ▄ █▄▄ █ ▄ ▀▄██▀▀▀▀▀▀▀▀ ▀ ▄▄█████▄█▄▄ ▄ ▄███▀ ▀▀ ▀▀▄ ▄██▄███▄ ▀▀▀▀▄ ▄▄ ▄████████▄▄▄▄▄█▄▄▄██ ████████████▀▀ █ ▐█ ██████████████▄ ▄▄▀██▄██ ▐██████████████ ▄███ ████▀████████████▄███▀ ▀█▀ ▐█████████████▀ ▐████████████▀ ▀█████▀▀▀ █▀ | . Premier League LaLiga Serie A | . Bundesliga Ligue 1 Primeira Liga | | . ..TAKE PART.. |
|
|
|
foo
|
|
November 19, 2011, 10:14:54 PM |
|
Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. EDIT: 58, no wait, another one just arrived. 59 emails! I'm also receiving one every ~5 minutes even though I only have one MtGox account. Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days? Seems like it. coexist.biz is the exploited server that's spamming, I'd send the owner an email, but their whois info is hidden. @foo: Are you the dude making the dehydrated strawberries?
I have no idea what you are talking about.
|
I know this because Tyler knows this.
|
|
|
Matthew N. Wright
Untrustworthy
Hero Member
Offline
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
|
|
November 19, 2011, 10:18:49 PM |
|
Argh! I've now received TEN of these, and they just keep coming. EDIT: Thirteen now. EDIT: 58, no wait, another one just arrived. 59 emails! I'm also receiving one every ~5 minutes even though I only have one MtGox account. Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days? Seems like it. coexist.biz is the exploited server that's spamming, I'd send the owner an email, but their whois info is hidden. @foo: Are you the dude making the dehydrated strawberries?
I have no idea what you are talking about. https://bitcointalk.org/index.php?topic=52331
|
|
|
|
foo
|
|
November 19, 2011, 10:21:27 PM |
|
|
I know this because Tyler knows this.
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5194
Merit: 12983
|
|
November 19, 2011, 10:39:23 PM |
|
I emailed leaseweb about it already. More complaints (to abuse@leaseweb.com ) wouldn't hurt, though.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
Insti (OP)
Sr. Member
Offline
Activity: 294
Merit: 252
Firstbits: 1duzy
|
|
November 19, 2011, 11:06:36 PM |
|
I emailed leaseweb about it already. More complaints (to abuse@leaseweb.com ) wouldn't hurt, though. The messages are still coming in. (to /dev/null at least) I emailed a complaint.
|
|
|
|
ultramancool
Newbie
Offline
Activity: 18
Merit: 0
|
|
November 20, 2011, 02:53:17 AM |
|
Just wanted to give everyone an update - I got a copy of the executable. It was (very strangely) a 64 bit executable, autoit based. I picked it apart and learned that it sends all your coins to 13omHEevM54wA2jUjTTGs7wWTRj4UmP1XB, via automation of the bitcoin GUI. Decompiled source here: http://3d3.ca/pbY. It does not appear to do anything with a yubikey in reality. Tiny but amusing. Judging by block explorer this person hasn't been too successful unless there've been other addresses used too. I mean, I had to manually decode this base64 from the email and pick apart the 64 bit executable, so I have a feeling whoever wrote this malware wasn't too bright. No packing was used on the executable even.
|
|
|
|
jothan
Full Member
Offline
Activity: 184
Merit: 100
Feel the coffee, be the coffee.
|
|
November 20, 2011, 03:35:40 AM |
|
Just wanted to give everyone an update - I got a copy of the executable. It was (very strangely) a 64 bit executable, autoit based. I picked it apart and learned that it sends all your coins to 13omHEevM54wA2jUjTTGs7wWTRj4UmP1XB, via automation of the bitcoin GUI. Decompiled source here: http://3d3.ca/pbY. It does not appear to do anything with a yubikey in reality. Tiny but amusing. Judging by block explorer this person hasn't been too successful unless there've been other addresses used too. I mean, I had to manually decode this base64 from the email and pick apart the 64 bit executable, so I have a feeling whoever wrote this malware wasn't too bright. No packing was used on the executable even. Is the address constant, is a different address buried in each executable ?
|
Bitcoin: the only currency you can store directly into your brain.
What this planet needs is a good 0.0005 BTC US nickel.
|
|
|
BCEmporium
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
November 20, 2011, 01:58:55 PM |
|
Damn spamer! This is probably the dumbest phisher I'd ever came across. Nevertheless my mobile provider must be happy, thanks to this bozo and his 1000+ resends of the same crap my mobile data plafond went down.
|
|
|
|
|