Bitcoin Forum
December 09, 2016, 03:41:29 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: WARNING - MtGox "Your account is currently pending review" Phishing email  (Read 6002 times)
ataranlen
Hero Member
*****
Offline Offline

Activity: 843


The One and Only


View Profile WWW
January 13, 2012, 09:30:02 PM
 #1

I just got this email about 30 minutes ago, just wanted to make people aware that this is infact NOT from MtGox, but from some russian phishing site.

Do NOT click any links from this email

Code: (Complete Message with Headers)
Delivered-To: ataranlen@gmail.com
Received: by 10.42.167.130 with SMTP id s2cs62934icy;
        Fri, 13 Jan 2012 12:55:42 -0800 (PST)
Received: by 10.213.29.13 with SMTP id o13mr673749ebc.58.1326488140056;
        Fri, 13 Jan 2012 12:55:40 -0800 (PST)
Return-Path: <host6059@de1.imhoster.net>
Received: from de1.imhoster.net (de1.imhoster.net. [178.162.236.74])
        by mx.google.com with ESMTPS id a9si6728572eec.214.2012.01.13.12.55.39
        (version=TLSv1/SSLv3 cipher=OTHER);
        Fri, 13 Jan 2012 12:55:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of host6059@de1.imhoster.net designates 178.162.236.74 as permitted sender) client-ip=178.162.236.74;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of host6059@de1.imhoster.net designates 178.162.236.74 as permitted sender) smtp.mail=host6059@de1.imhoster.net
Received: from host6059 by de1.imhoster.net with local (Exim 4.69)
(envelope-from <host6059@de1.imhoster.net>)
id 1Rlo9z-003joZ-2F
for ataranlen@gmail.com; Fri, 13 Jan 2012 22:55:39 +0200
To: ataranlen@gmail.com
Subject: [Mt.Gox] Your account is currently pending review.
X-PHP-Script: host6059.de1.dp10.ru/mail.php for 67.221.255.12
From:info@mtgox.com
Reply-To:info@mtgox.com
MIME-Version:1.0
Content-Type: text/html;
Message-Id: <E1Rlo9z-003joZ-2F@de1.imhoster.net>
Date: Fri, 13 Jan 2012 22:55:39 +0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - de1.imhoster.net
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [1240 1236] / [47 12]
X-AntiAbuse: Sender Address Domain - de1.imhoster.net

<HTML>Dear Mt.Gox user,<br>
<br>
Your account is currently pending review, please visit <a href='http://fugbt5.tmweb.ru/'>https://mtgox.com/forms/verification</a><br>
For those users who have had their accounts marked for review, an explanation of why were are implementing these security measures can be found here:<br>
<br>
<a href='http://fugbt5.tmweb.ru/'>Security Measures Explained</a><br>
<br>
“Verified” Accounts are eligible for monthly/daily transaction limits of up to 5 times the monthly limit and 10 times the daily limit.<br>
<br>
In order to apply for the “Verified” account status please attach a copy of the following documents:<br>
- Your government issued photo ID (passport, permanent residence card or driver’s license) and<br>
- A scan of either your monthly utility bill (power, phone, TV, gas, water, etc.) or a certificate of residency issued by your local government.<br>
<br>
Thanks, <br>
The Mt.Gox team
</HTML>


MineTexas.com Minecraft Server We accept Bitcoin and Dogecoin.
Deepbit on Facebook: http://www.facebook.com/pages/Deepbit/151108048294815
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481298089
Hero Member
*
Offline Offline

Posts: 1481298089

View Profile Personal Message (Offline)

Ignore
1481298089
Reply with quote  #2

1481298089
Report to moderator
1481298089
Hero Member
*
Offline Offline

Posts: 1481298089

View Profile Personal Message (Offline)

Ignore
1481298089
Reply with quote  #2

1481298089
Report to moderator
freespirit
Full Member
***
Offline Offline

Activity: 161


View Profile
January 14, 2012, 09:36:35 AM
 #2

Got a couple of these too.
Code:
                                                                                                                                                                                                                                                               
Delivered-To: [email removed]
Received: by 10.42.140.4 with SMTP id i4cs47403icu;
        Fri, 13 Jan 2012 05:57:38 -0800 (PST)
Received: by 10.180.20.69 with SMTP id l5mr9044325wie.19.1326463055717;
        Fri, 13 Jan 2012 05:57:35 -0800 (PST)
Return-Path: <host6057@de1.imhoster.net>
Received: from de1.imhoster.net (de1.imhoster.net. [178.162.236.74])
        by mx.google.com with ESMTPS id 41si1302813eeu.193.2012.01.13.05.57.35
        (version=TLSv1/SSLv3 cipher=OTHER);
        Fri, 13 Jan 2012 05:57:35 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of host6057@de1.imhoster.net designates 178.162.236.74 as permitted sender) client-ip=178.162.236.74;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of host6057@de1.imhoster.net designates 178.162.236.74 as permitted sender) smtp.mail=host6057@de1.imhoster.net
Received: from host6057 by de1.imhoster.net with local (Exim 4.69)
(envelope-from <host6057@de1.imhoster.net>)
id 1RlhdO-001KkF-BR
for [email removed]; Fri, 13 Jan 2012 15:57:34 +0200
To: [email removed]
Subject: [Mt.Gox] Your account is currently pending review.
X-PHP-Script: host6057.de1.dp10.ru/mail/mail.php for 84.19.165.214
From:info@mtgox.com
Reply-To:info@mtgox.com
MIME-Version:1.0
Content-Type: text/html;
Message-Id: <E1RlhdO-001KkF-BR@de1.imhoster.net>
Date: Fri, 13 Jan 2012 15:57:34 +0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - de1.imhoster.net
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [1238 1234] / [47 12]
X-AntiAbuse: Sender Address Domain - de1.imhoster.net

<HTML>Dear Mt.Gox user,<br>
<br>
Your account is currently pending review, please visit <a href='http://host6057.de1.dp10.ru/'>https://mtgox.com/forms/verification</a><br>
For those users who have had their accounts marked for review, an explanation of why were are implementing these security measures can be found here:<br>
<br>
<a href='http://host6057.de1.dp10.ru/'>Security Measures Explained</a><br>
<br>
�Verified� Accounts are eligible for monthly/daily transaction limits of up to 5 times the monthly limit and 10 times the daily limit.<br>
<br>
In order to apply for the �Verified� account status please attach a copy of the following documents:<br>
- Your government issued photo ID (passport, permanent residence card or driver�s license) and<br>
- A scan of either your monthly utility bill (power, phone, TV, gas, water, etc.) or a certificate of residency issued by your local government.<br>
<br>
Thanks, <br>
The Mt.Gox team
</HTML>


cbeast
Donator
Legendary
*
Offline Offline

Activity: 1722

Let's talk governance, lipstick, and pigs.


View Profile
February 01, 2012, 06:36:07 AM
 #3

Who here on the forums has access to email addresses?

Code:
                                                                                                                                                                                                                                                               
Delivered-To: XXXXXXXXXXXXXXX
Received: by 10.112.40.68 with SMTP id v4cs77491lbk;
        Mon, 30 Jan 2012 22:23:39 -0800 (PST)
Received: by 10.14.132.74 with SMTP id n50mr1007560eei.47.1327991019323;
        Mon, 30 Jan 2012 22:23:39 -0800 (PST)
Return-Path: <brasting@xm63.hostsila.org>
Received: from xm63.hostsila.org (xm63.hostsila.org. [194.28.85.190])
        by mx.google.com with ESMTPS id n42si11987546eef.200.2012.01.30.22.23.39
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 30 Jan 2012 22:23:39 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of brasting@xm63.hostsila.org designates 194.28.85.190 as permitted sender) client-ip=194.28.85.190;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of brasting@xm63.hostsila.org designates 194.28.85.190 as permitted sender) smtp.mail=brasting@xm63.hostsila.org
Received: from brasting by xm63.hostsila.org with local (Exim 4.69)
(envelope-from <brasting@xm63.hostsila.org>)
id 1Rs7Ar-00023G-8i
for XXXXXXXXXXXXXXXXXXXXXX; Tue, 31 Jan 2012 08:26:37 +0200
To: XXXXXXXXXXXXXXXXXXXXXXX
Subject: [Mt.Gox] Your account is currently pending review.
X-PHP-Script: 194.28.85.190/~brasting/mail/mail2.php for 84.19.169.235
From:info@mtgox.com
Reply-To:info@mtgox.com
MIME-Version:1.0
Content-Type: text/html;
Message-Id: <E1Rs7Ar-00023G-8i@xm63.hostsila.org>
Sender:  <brasting@xm63.hostsila.org>
Date: Tue, 31 Jan 2012 08:26:37 +0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - xm63.hostsila.org
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [1002 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - xm63.hostsila.org
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/brasting/public_html/mail/mail2.php
X-Source-Dir: brasting33.org:/public_html/mail

<HTML>Dear Mt.Gox user,<br>
<br>
Your account is currently pending review, please visit <a href='http://194.28.85.190/~brasting/'>https://mtgox.com/forms/verification</a><br>
For those users who have had their accounts marked for review, an explanation of why were are implementing these security measures can be found here:<br>
<br>
<a href='http://194.28.85.190/~brasting/'>Security Measures Explained</a><br>
<br>
�Verified� Accounts are eligible for monthly/daily transaction limits of up to 5 times the monthly limit and 10 times the daily limit.<br>
<br>
In order to apply for the �Verified� account status please attach a copy of the following documents:<br>
- Your government issued photo ID (passport, permanent residence card or driver�s license) and<br>
- A scan of either your monthly utility bill (power, phone, TV, gas, water, etc.) or a certificate of residency issued by your local government.<br>
<br>
Thanks, <br>
The Mt.Gox team
</HTML>



Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
alex0
Jr. Member
*
Offline Offline

Activity: 40


View Profile
February 01, 2012, 11:32:43 AM
 #4

Also got one.
Very clever phishing email. Looks very natural.

I was confused by strange domain tmweb.ru

Who here on the forums has access to email addresses?
I think spammers use stolen MtGox DB
zvs
Legendary
*
Offline Offline

Activity: 1386



View Profile WWW
April 21, 2012, 07:42:52 PM
 #5

Also got one.
Very clever phishing email. Looks very natural.

I was confused by strange domain tmweb.ru

Who here on the forums has access to email addresses?
I think spammers use stolen MtGox DB

yeah, using the DB that got passed out june '11, i'm sure.  i have the same list

anyway, i just got this.  points to rgy###.tmweb.ru

i didn't think it was very clever though, i mean, all you have to do is see that the link is to some site in russia?

Dacentec, best deals for US dedicated servers. They regularly restock $20-$25 Opterons with 8-16GB RAM & 2x1-2TB HDD's (ofc, usually lots of other good stuff to choose from).  I did a Serverbear benchmark of one of my $20/mo Opteron (June last year), it's here.  Have had about a half dozen different servers with Dacentec, & none have failed to sustain at least 40MB/s (burst higher). My favorite is a 12-month rent-to-own ZT Systems 2XL5520 16GB 2x2TB SATA for $40/month (got lucky with the 'off-brand', haven't seen a RTO 2xL5520 for under $50/mo since -- at least for monthly contracts).  wholesaleinternet.com has some ancient 2-core intel CPUs @ $10/mo sometimes (I got an Intel Core 2 6300 @ 1.86GHz, with a 250GB HDD with 46000 hours on it, LOL. $20 @ Dacentec is much better, if you can grab one). joesdatacenter.com (same location as Wholesale Internet) also occasionally has specials (or if you don't want to wait, it has an AMD Opteron 170 @ $16/mo).
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
April 21, 2012, 07:48:55 PM
 #6

I had my email on the mtgox db that leaked and never got any of those emails. Strange. Not that I used gox anyway, so I wouldn't get fooled.

MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
April 22, 2012, 12:33:56 PM
 #7

It's a wonder there's not a lot more of this going on, really.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!