I've blacklisted all emails that I don't know so I dont get any phising. Feels good man.
Yeah...Ive done the same..!
easier to stay out of trouble like that. 
Topic: Bitcoin foundation's phishing email (Read 1421 times)
Yeah...Ive done the same..!
easier to stay out of trouble like that. 
Looks like constantcontact.com should be able to shed some light on this issue - they should be able to identify the sender who most likely registered with them using fake data.
I'm not particularly fond of constantcontact.com (they claim to be anti-spam, but I've seen enough spam from them in the past to believe that their anti-spam measures haven't been too effective) but they should be interested in keeping their service clean of outright scammers.
Onkel Paul
I'm not particularly fond of constantcontact.com (they claim to be anti-spam, but I've seen enough spam from them in the past to believe that their anti-spam measures haven't been too effective) but they should be interested in keeping their service clean of outright scammers.
Onkel Paul
I've blacklisted all emails that I don't know so I dont get any phising. Feels good man.
Wait, what? So how can you receive new mails from someone new? You cant? It will be better just to not open suspicious e-mail, they are pretty easy to spot after all.
I've blacklisted all emails that I don't know so I dont get any phising. Feels good man.
here's the sourcecode of the mail:
Return-Path:
Delivered-To:
Received: from localhost (localhost [127.0.0.1])
by mail2.openmailbox.org (Postfix) with ESMTP id D4798202D03
for <>; Thu, 12 Feb 2015 19:15:45 +0100 (CET)
X-Virus-Scanned: amavisd-new at openmailbox.org
X-Spam-Flag: NO
X-Spam-Score: -4.281
X-Spam-Level:
X-Spam-Status: No, score=-4.281 tagged_above=-9999.9 required=5
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_IADB_DK=-0.223,
RCVD_IN_IADB_LISTED=-0.38, RCVD_IN_IADB_OPTIN=-2.057,
RCVD_IN_IADB_RDNS=-0.167, RCVD_IN_IADB_SENDERID=-0.001,
RCVD_IN_IADB_SPF=-0.001, RCVD_IN_IADB_VOUCHED=-2.2,
RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, URIBL_RHS_DOB=0.276,
URI_NOVOWEL=0.5] autolearn=disabled
Authentication-Results: mail.openmailbox.org (amavisd-new);
dkim=pass (1024-bit key) header.d=auth.ccsend.com
Received: from mail2.openmailbox.org ([62.4.1.33])
by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id IiaRadR5TPk0 for <>;
Thu, 12 Feb 2015 19:15:43 +0100 (CET)
Received: from ccm172.constantcontact.com (ccm172.constantcontact.com [208.75.123.172])
by mail2.openmailbox.org (Postfix) with ESMTP id 57B90202A8F
for <>; Thu, 12 Feb 2015 19:15:43 +0100 (CET)
Received: from p2-jbsvcs5290.ad.prodcc.net (p2-pen6.ad.prodcc.net [10.252.0.106])
by p2-mail123.ccm172.constantcontact.com (Postfix) with ESMTP id BAD0121F84A
for <>; Thu, 12 Feb 2015 13:15:37 -0500 (EST)
DKIM-Signature: v=1; q=dns/txt; a=rsa-sha256; c=relaxed/relaxed; s=1000073432; d=auth.ccsend.com; h=to:X-Feedback-ID:subject:mime-version:message-id:from:date:list-unsubscribe:reply-to; bh=CvQtnbzgrPbveHC3gW0w8moaIdVJRbyhDj660hOqyuI=; b=DbctWw1pZ1S58aNVHN/klT0/7SDORn6oav1azdhvBlvCruWmsgDGvAlFf/OIuQlQF9JcDC0xl5vL44kqBgPZzoyLUCi10hEGjxgalTWE2VMIpJvnfhAQC89Be1govWRXYDwUQKwgAXL+426LyYeQdGscq+bw6MkBWMvgSU7QNHE=
Message-ID: <1120074688972.1120044852541.1867453675.0.91315JL.1002@scheduler.constantcontact.com>
Date: Thu, 12 Feb 2015 13:15:37 -0500 (EST)
From: Bitcoin Foundation <[email protected]>
Reply-To: [email protected]
To:
Subject: Important update for all bitcoin users
Cc:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_99136253_1728680057.1423764937757"
List-Unsubscribe: http://visitor.constantcontact.com/do?p=un&m=001U5E8SpKwZYYEo7iRyFekPA%3D%3D&se=001vSaTD1gd6dvCIuo44ic5Fw%3D%3D&t=001EkZLEx15CcE%3D&llr=6jja5dtab
X-Campaign-Activity-ID: 80f06f37-1184-4656-b1b8-fb7f76561c09
X-Channel-ID: 0502db20-b2dc-11e4-a1e8-d4ae527599c4
X-Mailer: Roving Constant Contact 2012 (http://www.constantcontact.com)
X-Return-Path-Hint: AgPBvNxGERlaxuPt/dlYcCQ==_1120044852541_BQLbILLcEeSh6NSuUnWZxA==@in.constantcontact.com
X-Roving-Campaignid: 1120074688972
X-Roving-Id: 1120044852541.1867453675
X-Feedback-ID: 0502db20-b2dc-11e4-a1e8-d4ae527599c4:80f06f37-1184-4656-b1b8-fb7f76561c09:1120044852541:CTCT
X-CTCT-ID: 0424b020-b2dc-11e4-a053-d4ae527599c4
------=_Part_99136253_1728680057.1423764937757
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Return-Path:
Delivered-To:
Received: from localhost (localhost [127.0.0.1])
by mail2.openmailbox.org (Postfix) with ESMTP id D4798202D03
for <>; Thu, 12 Feb 2015 19:15:45 +0100 (CET)
X-Virus-Scanned: amavisd-new at openmailbox.org
X-Spam-Flag: NO
X-Spam-Score: -4.281
X-Spam-Level:
X-Spam-Status: No, score=-4.281 tagged_above=-9999.9 required=5
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_IADB_DK=-0.223,
RCVD_IN_IADB_LISTED=-0.38, RCVD_IN_IADB_OPTIN=-2.057,
RCVD_IN_IADB_RDNS=-0.167, RCVD_IN_IADB_SENDERID=-0.001,
RCVD_IN_IADB_SPF=-0.001, RCVD_IN_IADB_VOUCHED=-2.2,
RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, URIBL_RHS_DOB=0.276,
URI_NOVOWEL=0.5] autolearn=disabled
Authentication-Results: mail.openmailbox.org (amavisd-new);
dkim=pass (1024-bit key) header.d=auth.ccsend.com
Received: from mail2.openmailbox.org ([62.4.1.33])
by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id IiaRadR5TPk0 for <>;
Thu, 12 Feb 2015 19:15:43 +0100 (CET)
Received: from ccm172.constantcontact.com (ccm172.constantcontact.com [208.75.123.172])
by mail2.openmailbox.org (Postfix) with ESMTP id 57B90202A8F
for <>; Thu, 12 Feb 2015 19:15:43 +0100 (CET)
Received: from p2-jbsvcs5290.ad.prodcc.net (p2-pen6.ad.prodcc.net [10.252.0.106])
by p2-mail123.ccm172.constantcontact.com (Postfix) with ESMTP id BAD0121F84A
for <>; Thu, 12 Feb 2015 13:15:37 -0500 (EST)
DKIM-Signature: v=1; q=dns/txt; a=rsa-sha256; c=relaxed/relaxed; s=1000073432; d=auth.ccsend.com; h=to:X-Feedback-ID:subject:mime-version:message-id:from:date:list-unsubscribe:reply-to; bh=CvQtnbzgrPbveHC3gW0w8moaIdVJRbyhDj660hOqyuI=; b=DbctWw1pZ1S58aNVHN/klT0/7SDORn6oav1azdhvBlvCruWmsgDGvAlFf/OIuQlQF9JcDC0xl5vL44kqBgPZzoyLUCi10hEGjxgalTWE2VMIpJvnfhAQC89Be1govWRXYDwUQKwgAXL+426LyYeQdGscq+bw6MkBWMvgSU7QNHE=
Message-ID: <1120074688972.1120044852541.1867453675.0.91315JL.1002@scheduler.constantcontact.com>
Date: Thu, 12 Feb 2015 13:15:37 -0500 (EST)
From: Bitcoin Foundation <[email protected]>
Reply-To: [email protected]
To:
Subject: Important update for all bitcoin users
Cc:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_99136253_1728680057.1423764937757"
List-Unsubscribe: http://visitor.constantcontact.com/do?p=un&m=001U5E8SpKwZYYEo7iRyFekPA%3D%3D&se=001vSaTD1gd6dvCIuo44ic5Fw%3D%3D&t=001EkZLEx15CcE%3D&llr=6jja5dtab
X-Campaign-Activity-ID: 80f06f37-1184-4656-b1b8-fb7f76561c09
X-Channel-ID: 0502db20-b2dc-11e4-a1e8-d4ae527599c4
X-Mailer: Roving Constant Contact 2012 (http://www.constantcontact.com)
X-Return-Path-Hint: AgPBvNxGERlaxuPt/dlYcCQ==_1120044852541_BQLbILLcEeSh6NSuUnWZxA==@in.constantcontact.com
X-Roving-Campaignid: 1120074688972
X-Roving-Id: 1120044852541.1867453675
X-Feedback-ID: 0502db20-b2dc-11e4-a1e8-d4ae527599c4:80f06f37-1184-4656-b1b8-fb7f76561c09:1120044852541:CTCT
X-CTCT-ID: 0424b020-b2dc-11e4-a053-d4ae527599c4
------=_Part_99136253_1728680057.1423764937757
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
I accidentally opened up that document, but thankfully it only went to Google Docs for me and didn't download it. It's a page full of random text symbols, and on top in bold it says to enable something you need to enter a macro file... 
Well some of these mails take you to another website with exactly the same interface, and these tkae your login details. 
For the curious, I've uploaded a screenshot.
I accidentally opened up that document, but thankfully it only went to Google Docs for me and didn't download it. It's a page full of random text symbols, and on top in bold it says to enable something you need to enter a macro file...
Would be very interesting to see the headers and the actual content of that link.
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.
Onkel Paul
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.
Onkel Paul
nope i don't have any idea where they could have gotten my email address.
the sender was Bitcoin Foundation [email protected] via auth.ccsend.com coming from in.constantcontact.com signed by auth.ccsend.com
First thing noticeable is they use .org not .net as their domain:
Next obvious thing is the errors in the body of the email:
Quote
Please see the instctions
Third is the Bitcoin Foundation logo is in Blue and not Grey like on the website, and the B is clearly different.
All tell tale scam or phishing attempt signs by another party other than the actual foundation itself.
Wow that email looks like some random copy-pasted snippets sprinkled with grammatical errors 
Would be very interesting to see the headers and the actual content of that link.
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.
Onkel Paul
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.
Onkel Paul
nope i don't have any idea where they could have gotten my email address.
the sender was Bitcoin Foundation [email protected] via auth.ccsend.com coming from in.constantcontact.com signed by auth.ccsend.com
Such emails occur very frequently nowadays. And they're also using the foundation's name just to trick people. Thanks for the notice dude. Definitely not gonna click those links. Ever.
More and more of these mails are coming in now days . I wonder why now. The scope would have been enormous an year back at 1000. 
They may just be sending out these phishing emails expecting at least one to reply to them and by mistake if anyone clicks on their link, they are just scammed. 
I'm sure that's all it is. But it's nice that people post these warnings for others to know to be on the lookout.
They may just be sending out these phishing emails expecting at least one to reply to them and by mistake if anyone clicks on their link, they are just scammed.
This is the first bitcoin related phishing email ive gotten, I wonder where they got my email from....
Yep, that's fake. Notice Jim's position title? Or lack thereof. And the spelling errors are a clear sign that no one edited this.
Would be very interesting to see the headers and the actual content of that link.
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.
Onkel Paul
Do you have any idea where they could have gotten your e-mail address? Since this is a highly targeted phishing attempt (not like the shotgun approaches) it might be possible to find out a little more about the senders.
However, I'd understand that you might want to avoid giving that info to strangers since it's a privacy issue.
Onkel Paul
Thanks for the information, I will check my email address (remember to not open any suspicious link).
I always ignore any email im not expecting and make sure to triple check the urls on it.
Jump to: