Bitcoin foundation's phishing email

[mitus-2]

I just received that phishing email:


Dear Bitcoin user,
When the New York Department of Financial Services officially announced (pg. 14) its "BitLicense" regulatory proposal in the New York State Register, it said in its legally required statement of needs and benefits: Extensive research and analysis by the Department of Financial Services ... has made clear the need for a new and comprehensive set of regulations that address the novel aspects and risks of digital currency.
Thus we are asked to update bitcoin transaction methods in order to facilitate more transparent bitcoin transfers. As of end of April bitcoin network WILL NOT support old transfer methods, but worry not this will be a smooth transition.
Please see the instctions how to configure your bitcoin client and full press release in this document.
Please note that attached document has been digitally signed and might require additional action from some Microsoft Office users.
Sincerely,
Jim Harper Bitcoin Foundation

here's an image of the email:


DO NOT CLICK ON ANYTHING IN THE EMAIL!

[MakingMoneyHoney]

They probably shouldn't have misspelled instructions. Thanks for the notice.

[The Bad Guy]

Thanks for the heads up mate , simply report it using your email provider if it have any option to report (like gmail ...) and everyone else should do that too .

[BillyBobZorton]

I always ignore any email im not expecting and make sure to triple check the urls on it.

[redsn0w]

Thanks for the information, I will check my email address (remember to not open any suspicious link).

[OnkelPaul]

Would be very interesting to see the headers and the actual content of that link.
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.

Onkel Paul

[RodeoX]

Yep, that's fake. Notice Jim's position title? Or lack thereof. And the spelling errors are a clear sign that no one edited this.

[ninza]

This is the first bitcoin related phishing email ive gotten, I wonder where they got my email from....

[erikalui]

They may just be sending out these phishing emails expecting at least one to reply to them and by mistake if anyone clicks on their link, they are just scammed. 

[MakingMoneyHoney]

They may just be sending out these phishing emails expecting at least one to reply to them and by mistake if anyone clicks on their link, they are just scammed. 

I'm sure that's all it is. But it's nice that people post these warnings for others to know to be on the lookout.

[thompete]

More and more of these mails are coming in now days . I wonder why now. The scope would have been enormous an year back at 1000.

[dothebeats]

Such emails occur very frequently nowadays. And they're also using the foundation's name just to trick people. Thanks for the notice dude. Definitely not gonna click those links. Ever.

[mitus-2]

Would be very interesting to see the headers and the actual content of that link.
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.

Onkel Paul

nope i don't have any idea where they could have gotten my email address.
the sender was Bitcoin Foundation newsletter@btcfoundation.net via auth.ccsend.com coming from    in.constantcontact.com signed by auth.ccsend.com

[Wendigo]

Wow that email looks like some random copy-pasted snippets sprinkled with grammatical errors 

[ChuckBuck]

Would be very interesting to see the headers and the actual content of that link.
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.

Onkel Paul

nope i don't have any idea where they could have gotten my email address.
the sender was Bitcoin Foundation newsletter@btcfoundation.net via auth.ccsend.com coming from    in.constantcontact.com signed by auth.ccsend.com

First thing noticeable is they use .org not .net as their domain:



Next obvious thing is the errors in the body of the email:

Please see the instctions

Third is the Bitcoin Foundation logo is in Blue and not Grey like on the website, and the B is clearly different.

All tell tale scam or phishing attempt signs by another party other than the actual foundation itself.

[leancuisine]

I accidentally opened up that document, but thankfully it only went to Google Docs for me and didn't download it. It's a page full of random text symbols, and on top in bold it says to enable something you need to enter a macro file... 

[leancuisine]

For the curious, I've uploaded a screenshot.

[Twipple]

I accidentally opened up that document, but thankfully it only went to Google Docs for me and didn't download it. It's a page full of random text symbols, and on top in bold it says to enable something you need to enter a macro file... 

Well some of these mails take you to another website with exactly the same interface, and these tkae your login details.

[mitus-2]

here's the sourcecode of the mail:

Return-Path: <AgPBvNxGERlaxuPt/dlYcCQ==_1120044852541_BQLbILLcEeSh6NSuUnWZxA==@in.constantcontact.com>
    Delivered-To:
    Received: from localhost (localhost [127.0.0.1])
        by mail2.openmailbox.org (Postfix) with ESMTP id D4798202D03
        for <>; Thu, 12 Feb 2015 19:15:45 +0100 (CET)
    X-Virus-Scanned: amavisd-new at openmailbox.org
    X-Spam-Flag: NO
    X-Spam-Score: -4.281
    X-Spam-Level:
    X-Spam-Status: No, score=-4.281 tagged_above=-9999.9 required=5
        tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
        HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,
        RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_IADB_DK=-0.223,
        RCVD_IN_IADB_LISTED=-0.38, RCVD_IN_IADB_OPTIN=-2.057,
        RCVD_IN_IADB_RDNS=-0.167, RCVD_IN_IADB_SENDERID=-0.001,
        RCVD_IN_IADB_SPF=-0.001, RCVD_IN_IADB_VOUCHED=-2.2,
        RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
        T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, URIBL_RHS_DOB=0.276,
        URI_NOVOWEL=0.5] autolearn=disabled
    Authentication-Results: mail.openmailbox.org (amavisd-new);
        dkim=pass (1024-bit key) header.d=auth.ccsend.com
    Received: from mail2.openmailbox.org ([62.4.1.33])
        by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id IiaRadR5TPk0 for <>;
        Thu, 12 Feb 2015 19:15:43 +0100 (CET)
   Received: from ccm172.constantcontact.com (ccm172.constantcontact.com [208.75.123.172])
        by mail2.openmailbox.org (Postfix) with ESMTP id 57B90202A8F
        for <>; Thu, 12 Feb 2015 19:15:43 +0100 (CET)
    Received: from p2-jbsvcs5290.ad.prodcc.net (p2-pen6.ad.prodcc.net [10.252.0.106])
        by p2-mail123.ccm172.constantcontact.com (Postfix) with ESMTP id BAD0121F84A
        for <>; Thu, 12 Feb 2015 13:15:37 -0500 (EST)
    DKIM-Signature: v=1; q=dns/txt; a=rsa-sha256; c=relaxed/relaxed; s=1000073432; d=auth.ccsend.com; h=to:X-Feedback-ID:subject:mime-version:message-id:from:date:list-unsubscribe:reply-to; bh=CvQtnbzgrPbveHC3gW0w8moaIdVJRbyhDj660hOqyuI=; b=DbctWw1pZ1S58aNVHN/klT0/7SDORn6oav1azdhvBlvCruWmsgDGvAlFf/OIuQlQF9JcDC0xl5vL44kqBgPZzoyLUCi10hEGjxgalTWE2VMIpJvnfhAQC89Be1govWRXYDwUQKwgAXL+426LyYeQdGscq+bw6MkBWMvgSU7QNHE=
    Message-ID: <1120074688972.1120044852541.1867453675.0.91315JL.1002@scheduler.constantcontact.com>
    Date: Thu, 12 Feb 2015 13:15:37 -0500 (EST)
    From: Bitcoin Foundation <newsletter@btcfoundation.net>
    Reply-To: newsletter@btcfoundation.net
    To:
    Subject: Important update for all bitcoin users
    Cc:
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
        boundary="----=_Part_99136253_1728680057.1423764937757"
    List-Unsubscribe: http://visitor.constantcontact.com/do?p=un&m=001U5E8SpKwZYYEo7iRyFekPA%3D%3D&se=001vSaTD1gd6dvCIuo44ic5Fw%3D%3D&t=001EkZLEx15CcE%3D&llr=6jja5dtab
    X-Campaign-Activity-ID: 80f06f37-1184-4656-b1b8-fb7f76561c09
    X-Channel-ID: 0502db20-b2dc-11e4-a1e8-d4ae527599c4
    X-Mailer: Roving Constant Contact 2012 (http://www.constantcontact.com)
    X-Return-Path-Hint: AgPBvNxGERlaxuPt/dlYcCQ==_1120044852541_BQLbILLcEeSh6NSuUnWZxA==@in.constantcontact.com
    X-Roving-Campaignid: 1120074688972
    X-Roving-Id: 1120044852541.1867453675
    X-Feedback-ID: 0502db20-b2dc-11e4-a1e8-d4ae527599c4:80f06f37-1184-4656-b1b8-fb7f76561c09:1120044852541:CTCT
    X-CTCT-ID: 0424b020-b2dc-11e4-a053-d4ae527599c4

    ------=_Part_99136253_1728680057.1423764937757
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit

[cellard]

I've blacklisted all emails that I don't know so I dont get any phising. Feels good man.