Truckfarmer (OP)
Newbie
Offline
Activity: 27
Merit: 0
|
|
December 02, 2014, 10:54:59 PM |
|
Hello I recently received a (relatively) sophisticated phishing attack via email. The payload seems to be a java root kit. The email sender was labelled "Bitcoin.org", but the actual email was " no-replay@bitcoin.com". The subject read "The transaction has completed successfully." Flag #1 - I have not made any Bitcoin transactions for over a week. Flag #2 - "no-replay" Flag #3 - Recently made email in question public on bitcointalk.org. Flag #4 - Payload file name included last four digits of my SSN. The message contents were as follows:Online Payment Details https://www.bitcoin.org/Ref-XXXXXXXXXXXX (linked to http://[Suspicious link removed]/Bitcoin-transactionSSSS) SSSS represents the last four digits of my SSN. This part concerns me the most, although linking of this email (my main public email) to my the last digits of SSN wouldn't be too difficult.The transaction has completed successfully. The order number, for your customers reference is:Ref-XXXXXXXXXXXX-XXXXX. Additional Payload info:File: Bitcoin_transactionSSSS.jar File type: Java JAR (226 Kb) From: http://www.thedumps.ru
|
|
|
|
|
|
|
The Bitcoin network protocol was designed to be extremely flexible. It can be used to create timed transactions, escrow transactions, multi-signature transactions, etc. The current features of the client only hint at what will be possible in the future.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
hexafraction
Sr. Member
Offline
Activity: 392
Merit: 259
Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ
|
|
December 02, 2014, 11:19:31 PM |
|
Definitely looks like malware, possibly coin-stealing. I'm interested to see if anyone with a spare offline machine they're willing to get "dirty" would have any luck decompiling this with a Java decompiler. I've never seen Java that can actually act as a full-system rootkit, at least without JNI. Hello I recently received a (relatively) sophisticated phishing attack via email. The payload seems to be a java root kit. The email sender was labelled "Bitcoin.org", but the actual email was " no-replay@bitcoin.com". The subject read "The transaction has completed successfully." Flag #1 - I have not made any Bitcoin transactions for over a week. Flag #2 - "no-replay" Flag #3 - Recently made email in question public on bitcointalk.org. Flag #4 - Payload file name included last four digits of my SSN. The message contents were as follows:Online Payment Details https://www.bitcoin.org/Ref-XXXXXXXXXXXX (linked to http://[Suspicious link removed]/Bitcoin-transactionSSSS) SSSS represents the last four digits of my SSN. This part concerns me the most, although linking of this email (my main public email) to my the last digits of SSN wouldn't be too difficult.The transaction has completed successfully. The order number, for your customers reference is:Ref-XXXXXXXXXXXX-XXXXX. Additional Payload info:File: Bitcoin_transactionSSSS.jar File type: Java JAR (226 Kb) From: http://www.thedumps.ru
|
|
|
|
blockgenesis
Sr. Member
Offline
Activity: 285
Merit: 250
Bitcoin.org maintainer
|
|
December 03, 2014, 12:44:07 AM |
|
In order to prevent such phishing scam from @bitcoin.com, blockchain.info would have to set clear DMARC, DKIM and SPF policies on their DNS: https://dmarcian.com/dmarc-inspector/bitcoin.com
|
Donation: 18XXXQs1vAQGBAZbXKA322r9Zy1nZac2H4
|
|
|
Truckfarmer (OP)
Newbie
Offline
Activity: 27
Merit: 0
|
|
December 03, 2014, 12:51:20 AM |
|
Who can I contact about this?
|
|
|
|
blockgenesis
Sr. Member
Offline
Activity: 285
Merit: 250
Bitcoin.org maintainer
|
|
December 03, 2014, 12:56:42 AM |
|
Who can I contact about this?
Try contacting blockchain.info (I dunno what's the best way, I just tried sending them a msg on reddit).
|
Donation: 18XXXQs1vAQGBAZbXKA322r9Zy1nZac2H4
|
|
|
Remember remember the 5th of November
Legendary
Offline
Activity: 1862
Merit: 1011
Reverse engineer from time to time
|
|
December 03, 2014, 01:05:19 AM |
|
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze?
|
BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
|
|
|
hexafraction
Sr. Member
Offline
Activity: 392
Merit: 259
Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ
|
|
December 03, 2014, 01:26:49 AM |
|
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze? Once you are done analyzing, would you mind posting your findings here?
|
|
|
|
Remember remember the 5th of November
Legendary
Offline
Activity: 1862
Merit: 1011
Reverse engineer from time to time
|
|
December 03, 2014, 01:34:17 AM |
|
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze? Once you are done analyzing, would you mind posting your findings here? It depends on if OP has not deleted this phishing email(which I presume he has) and whether the bytecode class files in the .jar are obfuscated.
|
BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
|
|
|
blockgenesis
Sr. Member
Offline
Activity: 285
Merit: 250
Bitcoin.org maintainer
|
|
December 03, 2014, 02:12:47 AM |
|
Note: Just got a reply from Mandrik @blockchain.info - so I guess they're aware of it now. Hopefully this will get fixed and spammers won't be able to send from this domain at the very least.
|
Donation: 18XXXQs1vAQGBAZbXKA322r9Zy1nZac2H4
|
|
|
segvec
Full Member
Offline
Activity: 196
Merit: 100
The cheddar breed jealousy
|
|
December 03, 2014, 02:27:13 AM |
|
Very interesting. Going to look into this as it is quite a problem if indeed what I think it is...
|
|
|
|
Truckfarmer (OP)
Newbie
Offline
Activity: 27
Merit: 0
|
|
December 03, 2014, 04:27:09 AM Last edit: December 03, 2014, 02:47:08 PM by Truckfarmer |
|
Just seeing this now...sorry guys...don't have a sandbox on the station I'm on...
|
|
|
|
Magicman420
|
|
December 03, 2014, 04:32:31 AM Last edit: December 03, 2014, 05:13:04 AM by Magicman420 |
|
I hate hackers / scammers.. I wish we could stop them all TOGETHER
|
|
|
|
Truckfarmer (OP)
Newbie
Offline
Activity: 27
Merit: 0
|
|
December 03, 2014, 04:44:39 AM |
|
*scammer-hackers some of us "hackers" are the good guys
|
|
|
|
Magicman420
|
|
December 03, 2014, 05:13:19 AM |
|
*scammer-hackers some of us "hackers" are the good guys True I guess you have a point
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1226
Away on an extended break
|
|
December 03, 2014, 02:08:29 PM |
|
|
|
|
|
botany
Legendary
Offline
Activity: 1582
Merit: 1064
|
|
December 04, 2014, 12:54:47 AM |
|
Flag #4 - Payload file name included last four digits of my SSN.
This is what scares me. Phishing mails are no longer mass mailed in the hope that at least one in a million falls for it. They seem to be targeting specific individuals. We really have to be on our toes.
|
|
|
|
Ron~Popeil
|
|
December 04, 2014, 05:13:59 AM |
|
I get e-mails all the time saying someone sent 8 btc to my wallet and asking me to download a file with the transaction attached. I of course delete the attachment and the e-mail. Occasionally I launch a profanity laced reply but only when the mood hits me.
|
|
|
|
CrackedLogic
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
December 04, 2014, 02:00:12 PM |
|
sad to see such a domain being abused.
|
BUY GAMESWITHBTCITCOINFORDISCOUNTEDPRICES
|
|
|
AleCrypt0
|
|
December 04, 2014, 10:42:16 PM |
|
sad to see such a domain being abused.
agree
|
|
|
|
|