Nevertheless my mobile provider must be happy, thanks to this bozo and his 1000+ resends of the same crap my mobile data plafond went down.
Topic: Beware: "mtgox" yubikey trojan/phishing email (Read 2923 times)
Damn spamer! This is probably the dumbest phisher I'd ever came across.
Nevertheless my mobile provider must be happy, thanks to this bozo and his 1000+ resends of the same crap my mobile data plafond went down.
Nevertheless my mobile provider must be happy, thanks to this bozo and his 1000+ resends of the same crap my mobile data plafond went down.
Just wanted to give everyone an update - I got a copy of the executable. It was (very strangely) a 64 bit executable, autoit based. I picked it apart and learned that it sends all your coins to 13omHEevM54wA2jUjTTGs7wWTRj4UmP1XB, via automation of the bitcoin GUI. Decompiled source here: http://3d3.ca/pbY. It does not appear to do anything with a yubikey in reality. Tiny but amusing. Judging by block explorer this person hasn't been too successful unless there've been other addresses used too. I mean, I had to manually decode this base64 from the email and pick apart the 64 bit executable, so I have a feeling whoever wrote this malware wasn't too bright. No packing was used on the executable even.
Is the address constant, is a different address buried in each executable ?
Just wanted to give everyone an update - I got a copy of the executable. It was (very strangely) a 64 bit executable, autoit based. I picked it apart and learned that it sends all your coins to 13omHEevM54wA2jUjTTGs7wWTRj4UmP1XB, via automation of the bitcoin GUI. Decompiled source here: http://3d3.ca/pbY. It does not appear to do anything with a yubikey in reality. Tiny but amusing. Judging by block explorer this person hasn't been too successful unless there've been other addresses used too. I mean, I had to manually decode this base64 from the email and pick apart the 64 bit executable, so I have a feeling whoever wrote this malware wasn't too bright. No packing was used on the executable even.
I emailed leaseweb about it already. More complaints (to [email protected] ) wouldn't hurt, though.
The messages are still coming in. (to /dev/null at least)
I emailed a complaint.
I emailed leaseweb about it already. More complaints (to [email protected] ) wouldn't hurt, though.
@foo: Are you the dude making the dehydrated strawberries?
I have no idea what you are talking about.hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
Argh! I've now received TEN of these, and they just keep coming.
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
I'm also receiving one every ~5 minutes even though I only have one MtGox account.
Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days?
@foo: Are you the dude making the dehydrated strawberries?
I have no idea what you are talking about.https://bitcointalksearch.org/topic/the-free-market-speaks-fda-avoided-dustberries-52331
Argh! I've now received TEN of these, and they just keep coming.
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
I'm also receiving one every ~5 minutes even though I only have one MtGox account.
Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days?
@foo: Are you the dude making the dehydrated strawberries?
I have no idea what you are talking about. 
Wasn't MtGox going to add a signed signature to his emails?
hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
Argh! I've now received TEN of these, and they just keep coming.
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
I'm also receiving one every ~5 minutes even though I only have one MtGox account.
Maybe someone's script is stuck on loop? Script kiddies aren't even good enough to be script kiddies these days?
@foo: Are you the dude making the dehydrated strawberries?
Argh! I've now received TEN of these, and they just keep coming.
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
I'm also receiving one every ~5 minutes even though I only have one MtGox account. (Now they're being discarded automatically, of course.)
Argh! I've now received TEN of these, and they just keep coming.
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
How many Mt. Gox accounts did you have? EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
If anyone gets a copy of this exe, please PM me on the forum or email me at [email protected]. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.
without knowledge of malware, i bet they steal your wallet
just logigal, because nearly everyone using mtgox has a wallet stored on their computer. they're the perfect target
Argh! I've now received TEN of these, and they just keep coming.
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
EDIT: Thirteen now.
EDIT: 58, no wait, another one just arrived. 59 emails!
If anyone gets a copy of this exe, please PM me on the forum or email me at [email protected]. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.
Here you go:
http://www.mediafire.com/file/dbxcf58b5m8pm2c/MtGoxYubikey.rar
Password: thisisavirus
Have fun
If anyone gets a copy of this exe, please PM me on the forum or email me at [email protected]. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.
That's cool. I wanted to send you but I received this:
Quote
FILE DELETED
MtGoxYubikey.exe has been removed since it was found to match the FILE FILTER= ExchangeLabs File Filter List 1: *.exe file filter.
MtGoxYubikey.exe has been removed since it was found to match the FILE FILTER= ExchangeLabs File Filter List 1:
:-(
Exchange is too secure.
If anyone gets a copy of this exe, please PM me on the forum or email me at [email protected]. I'm a malware reverse engineer and I'd love to get my hands on this. I'll be sure to share details of what I find with the community if anyone has a copy.
It's alarming that Mt. Gox doesn't even have SPF setup.
it's reassuring that the fraudsters think the target group of these kinds of attacks are stupid enough to fall for it.
It's alarming that Mt. Gox doesn't even have SPF setup.
If email phishing is frequent, they should use SPF record to tell email service providers to reject all emails not from their IPs. This method is not fool-proof but at least most emails can go to spam instead of entering the inbox.
*.mtgox.com CNAME 10 minutes www.mtgox.com
mtgox.com A 10 minutes 72.52.5.67 (Hollywood, FL, US)
mtgox.com MX 10 minutes 1 aspmx.l.google.com
mtgox.com MX 10 minutes 5 alt1.aspmx.l.google.com
mtgox.com MX 10 minutes 5 alt2.aspmx.l.google.com
mtgox.com MX 10 minutes 10 aspmx2.googlemail.com
mtgox.com MX 10 minutes 10 aspmx3.googlemail.com
mtgox.com MX 10 minutes 10 aspmx4.googlemail.com
mtgox.com MX 10 minutes 10 aspmx5.googlemail.com
mtgox.com NS 10 minutes ns1.xta.net
mtgox.com NS 10 minutes ns2.xta.net
mtgox.com SOA 10 minutes ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600
mtgox.com SOA 0 seconds ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600
www.mtgox.com A 10 minutes 72.52.5.81 (Hollywood, FL, US)
If email phishing is frequent, they should use SPF record to tell email service providers to reject all emails not from their IPs. This method is not fool-proof but at least most emails can go to spam instead of entering the inbox.
*.mtgox.com CNAME 10 minutes www.mtgox.com
mtgox.com A 10 minutes 72.52.5.67 (Hollywood, FL, US)
mtgox.com MX 10 minutes 1 aspmx.l.google.com
mtgox.com MX 10 minutes 5 alt1.aspmx.l.google.com
mtgox.com MX 10 minutes 5 alt2.aspmx.l.google.com
mtgox.com MX 10 minutes 10 aspmx2.googlemail.com
mtgox.com MX 10 minutes 10 aspmx3.googlemail.com
mtgox.com MX 10 minutes 10 aspmx4.googlemail.com
mtgox.com MX 10 minutes 10 aspmx5.googlemail.com
mtgox.com NS 10 minutes ns1.xta.net
mtgox.com NS 10 minutes ns2.xta.net
mtgox.com SOA 10 minutes ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600
mtgox.com SOA 0 seconds ns1.xta.net. domains.tibanne.com. 2011030600 10800 3600 604800 3600
www.mtgox.com A 10 minutes 72.52.5.81 (Hollywood, FL, US)
I recently received an email claiming to be from mtgox (It most certainly isn't)
Quote
From: MtGox <[email protected]>
Subject: Protect your Mt.Gox. account using Yubikey!
Protect your Mt.Gox. account using Yubikey!
We have attached your own personal Yubikey.
Download and install it.
Mt.Gox. Team
Content-Type: application/octet-stream; name="MtGoxYubikey.exe"
Subject: Protect your Mt.Gox. account using Yubikey!
Protect your Mt.Gox. account using Yubikey!
We have attached your own personal Yubikey.
Download and install it.
Mt.Gox. Team
Content-Type: application/octet-stream; name="MtGoxYubikey.exe"
I've not been crazy enough to do anything with the exe file other than delete it.
Jump to: