This is a serious email attack that contains trojan to control your machine, not only windows machines but also linux and mac machines are targetted. More information can be found here https://bitcointalksearch.org/topic/beware-multiplatform-malware-try-to-steal-your-wallet-652085
Do not download the file attached, otherwise your system will get compromised.
Topic: Directed e-mail attacks (Read 905 times)
there are tons of mails circulating for stealing coins
I got dozens of these emails 
Have no idea what should I do to make them stop sending these kind of email and worry about my address so much
seems like you are know well about this,any advise will be very useful!THX!!
Have no idea what should I do to make them stop sending these kind of email and worry about my address so much
seems like you are know well about this,any advise will be very useful!THX!!
Starting a week ago I am receiving emails with .jar files claiming to be from different Bitcoin sites. They don't get detected as spam by any spam filter, the jar file is not detected as a virus. It seems they are sent to handpicked targets who actively work with crypto currency. The emails came from 3 different sources so far, 3 via smtp.com (already talked to them and they said they will look into it), and 2 via gmail.
I will be running the jar file in a virus testing sandbox to see what network connections it tries to make. Decompiling the jar didn't give much result since I believe it contains native binaries (for osx, windows and linux) that are run. If anyone else received and already tested these files please let me know what you found.
I have accounts at almost every exchange (including Mt.Gox, though my email was not in the gox account lists I found on the net) so it could be that my email leaked from one of those.
Anyone else experiencing these?
------------------ Headers and some content of the some emails received ------------------------
Delivered-To: [email protected]
Received: by 10.182.246.1 with SMTP id xs1csp217663obc;
Mon, 21 Apr 2014 12:12:32 -0700 (PDT)
Return-Path: <[email protected]>
Received-SPF: pass (google.com: domain of [email protected] designates 10.66.150.69 as permitted sender) client-ip=10.66.150.69
Authentication-Results: mr.google.com;
spf=pass (google.com: domain of [email protected] designates 10.66.150.69 as permitted sender) [email protected];
dkim=pass [email protected]
X-Received: from mr.google.com ([10.66.150.69])
by 10.66.150.69 with SMTP id ug5mr40109988pab.55.1398107551939 (num_hops = 1);
Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=snOLhcQ+SqxC85ZiOH580ss1veiwVqZSKyogNOl7fzY=;
b=DZiC6/fAEVa4BWD/4GBPyuEjKs1pVMMGiW9YzXdyP6tkxt8icqgmYz2PxPqf+l0YOX
+6BtdWGJQ7D3GUBKLfgFBVUCEl19R9OX4uoQMjhWthPhqfq+q/VLPgNxtHh2FPNtk6q9
9weGvhUn5U2ioRC7dmBAFtJdvKgCU/V8TZXK+A9NRlZDg7J4OQuYFJIclfT0f0FPW+T2
l086g3eRs5N8NCUT395o/z6QCh4j2p47VuMaM9Ld2Rn6Ib3k1jBHKct+/tQo31JD65FI
88Z+CzDiNVjWOEyR6m81BWnXcnpVnimoEAY/HxFOOxGicSQN0QnonCsVPs66nImCOcYi
Teeg==
MIME-Version: 1.0
X-Received: by 10.66.150.69 with SMTP id ug5mr40170349pab.55.1398107551483;
Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
Received: by 10.70.61.1 with HTTP; Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
Date: Mon, 21 Apr 2014 22:12:31 +0300
Message-ID:
Subject: Problem in the Market
From: ahmad khamashta <[email protected]>
To: undisclosed-recipients:;
Content-Type: multipart/mixed; boundary=047d7b6dc31ef77d1304f79247bb
Bcc: [email protected]
--047d7b6dc31ef77d1304f79247bb
Content-Type: multipart/alternative; boundary=047d7b6dc31ef77d0f04f79247b9
--047d7b6dc31ef77d0f04f79247b9
Content-Type: text/plain; charset=UTF-8
*Hello, *
*I have Problem in my account , i try to buy all my XBT "122 Bitcoin"*
*buy when i need to process the order i got this error "attached"*
*Please i need answer or Solved for this problem ASAP*
*Thank you*
------------------------------------------------------------------------------------------------------------------------------------------------
Delivered-To: [email protected]
Received: by 10.182.246.1 with SMTP id xs1csp100488obc;
Mon, 28 Apr 2014 00:06:48 -0700 (PDT)
X-Received: by 10.68.240.99 with SMTP id vz3mr23458826pbc.93.1398668807684;
Mon, 28 Apr 2014 00:06:47 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mailer242.gate181.sl.smtp.com (mailer242.gate181.sl.smtp.com. [192.40.181.242])
by mx.google.com with ESMTP id qf5si9774988pac.211.2014.04.28.00.06.47
for <[email protected]>;
Mon, 28 Apr 2014 00:06:47 -0700 (PDT)
Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=192.40.181.242;
Authentication-Results: mx.google.com;
spf=neutral (google.com: [email protected] does not designate permitted sender hosts) [email protected];
dkim=pass [email protected]
Return-Path: <[email protected]>
X-MSFBL: aHNhaG1lZEBnbWFpbC5jb21AMTkyXzQwXzE4MV8yNDJAU2VuZEJsYXN0ZXJfMkA=
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; [email protected]; t=1398668806;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=FsfC8XmgPRDRepb53Yb8HgKVlGjtEhsMC2Zsr4pvMGo=;
b=PYrnG1ZsdZweyzCBpvSTu9GZXCQu7pCZPrk3Izl2W/IYaUlRP8WxvAvb3vGUxdTb
X3/AzJ966SmS5GlHG3FDOnattTzpc0jPPCf8CwWH7uGHC3Nwt5V270YnKrlcff/X
Hs+uLvCNqR78MIhHwHb8h4XkgzfDV8G2MERKFMzmkj0=;
Received: from [216.55.179.130] ([216.55.179.130:58769] helo=216-55-179-130.dedicated.codero.net)
by sl-mta06.smtp.com (envelope-from <[email protected]>)
(ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
id 55/1B-09095-50EFD535; Mon, 28 Apr 2014 07:06:46 +0000
From: "ItBit" <[email protected]>
Message-ID: <55.1B.09095.50EFD535@sl-mta06>
Subject: ItBit Final Report
To: "XXXXXXX" <[email protected]>
Content-Type: multipart/mixed; boundary="Si3q2MkLplfvSjo1bPsfGhL=_Zd1lqAOnT"
MIME-Version: 1.0
Organization: ItBit
Date: Mon, 28 Apr 2014 00:06:46 -0700
X-SMTPCOM-Tracking-Number: 49f61f3c-42d5-47a7-91ca-0631251aca4c
X-SMTPCOM-Sender-ID: 6001689
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
This is a multi-part message in MIME format
--Si3q2MkLplfvSjo1bPsfGhL=_Zd1lqAOnT
Content-Type: multipart/alternative;
boundary="E3ds9G5Tm1O3h=_2A5t6vfIbwqcOc6GQmQ"
--E3ds9G5Tm1O3h=_2A5t6vfIbwqcOc6GQmQ
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BFHello,
We are sorry to late , we attach in this email all the information you=
need about your account with us.
if you have any qouestion please contact us again.
Thank you
Antony Lewis
Business Development
https://www.itbit.com | [email protected] | +65 9296 4222
I will be running the jar file in a virus testing sandbox to see what network connections it tries to make. Decompiling the jar didn't give much result since I believe it contains native binaries (for osx, windows and linux) that are run. If anyone else received and already tested these files please let me know what you found.
I have accounts at almost every exchange (including Mt.Gox, though my email was not in the gox account lists I found on the net) so it could be that my email leaked from one of those.
Anyone else experiencing these?
------------------ Headers and some content of the some emails received ------------------------
Delivered-To: [email protected]
Received: by 10.182.246.1 with SMTP id xs1csp217663obc;
Mon, 21 Apr 2014 12:12:32 -0700 (PDT)
Return-Path: <[email protected]>
Received-SPF: pass (google.com: domain of [email protected] designates 10.66.150.69 as permitted sender) client-ip=10.66.150.69
Authentication-Results: mr.google.com;
spf=pass (google.com: domain of [email protected] designates 10.66.150.69 as permitted sender) [email protected];
dkim=pass [email protected]
X-Received: from mr.google.com ([10.66.150.69])
by 10.66.150.69 with SMTP id ug5mr40109988pab.55.1398107551939 (num_hops = 1);
Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=snOLhcQ+SqxC85ZiOH580ss1veiwVqZSKyogNOl7fzY=;
b=DZiC6/fAEVa4BWD/4GBPyuEjKs1pVMMGiW9YzXdyP6tkxt8icqgmYz2PxPqf+l0YOX
+6BtdWGJQ7D3GUBKLfgFBVUCEl19R9OX4uoQMjhWthPhqfq+q/VLPgNxtHh2FPNtk6q9
9weGvhUn5U2ioRC7dmBAFtJdvKgCU/V8TZXK+A9NRlZDg7J4OQuYFJIclfT0f0FPW+T2
l086g3eRs5N8NCUT395o/z6QCh4j2p47VuMaM9Ld2Rn6Ib3k1jBHKct+/tQo31JD65FI
88Z+CzDiNVjWOEyR6m81BWnXcnpVnimoEAY/HxFOOxGicSQN0QnonCsVPs66nImCOcYi
Teeg==
MIME-Version: 1.0
X-Received: by 10.66.150.69 with SMTP id ug5mr40170349pab.55.1398107551483;
Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
Received: by 10.70.61.1 with HTTP; Mon, 21 Apr 2014 12:12:31 -0700 (PDT)
Date: Mon, 21 Apr 2014 22:12:31 +0300
Message-ID:
Subject: Problem in the Market
From: ahmad khamashta <[email protected]>
To: undisclosed-recipients:;
Content-Type: multipart/mixed; boundary=047d7b6dc31ef77d1304f79247bb
Bcc: [email protected]
--047d7b6dc31ef77d1304f79247bb
Content-Type: multipart/alternative; boundary=047d7b6dc31ef77d0f04f79247b9
--047d7b6dc31ef77d0f04f79247b9
Content-Type: text/plain; charset=UTF-8
*Hello, *
*I have Problem in my account , i try to buy all my XBT "122 Bitcoin"*
*buy when i need to process the order i got this error "attached"*
*Please i need answer or Solved for this problem ASAP*
*Thank you*
------------------------------------------------------------------------------------------------------------------------------------------------
Delivered-To: [email protected]
Received: by 10.182.246.1 with SMTP id xs1csp100488obc;
Mon, 28 Apr 2014 00:06:48 -0700 (PDT)
X-Received: by 10.68.240.99 with SMTP id vz3mr23458826pbc.93.1398668807684;
Mon, 28 Apr 2014 00:06:47 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mailer242.gate181.sl.smtp.com (mailer242.gate181.sl.smtp.com. [192.40.181.242])
by mx.google.com with ESMTP id qf5si9774988pac.211.2014.04.28.00.06.47
for <[email protected]>;
Mon, 28 Apr 2014 00:06:47 -0700 (PDT)
Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=192.40.181.242;
Authentication-Results: mx.google.com;
spf=neutral (google.com: [email protected] does not designate permitted sender hosts) [email protected];
dkim=pass [email protected]
Return-Path: <[email protected]>
X-MSFBL: aHNhaG1lZEBnbWFpbC5jb21AMTkyXzQwXzE4MV8yNDJAU2VuZEJsYXN0ZXJfMkA=
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; [email protected]; t=1398668806;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=FsfC8XmgPRDRepb53Yb8HgKVlGjtEhsMC2Zsr4pvMGo=;
b=PYrnG1ZsdZweyzCBpvSTu9GZXCQu7pCZPrk3Izl2W/IYaUlRP8WxvAvb3vGUxdTb
X3/AzJ966SmS5GlHG3FDOnattTzpc0jPPCf8CwWH7uGHC3Nwt5V270YnKrlcff/X
Hs+uLvCNqR78MIhHwHb8h4XkgzfDV8G2MERKFMzmkj0=;
Received: from [216.55.179.130] ([216.55.179.130:58769] helo=216-55-179-130.dedicated.codero.net)
by sl-mta06.smtp.com (envelope-from <[email protected]>)
(ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
id 55/1B-09095-50EFD535; Mon, 28 Apr 2014 07:06:46 +0000
From: "ItBit" <[email protected]>
Message-ID: <55.1B.09095.50EFD535@sl-mta06>
Subject: ItBit Final Report
To: "XXXXXXX" <[email protected]>
Content-Type: multipart/mixed; boundary="Si3q2MkLplfvSjo1bPsfGhL=_Zd1lqAOnT"
MIME-Version: 1.0
Organization: ItBit
Date: Mon, 28 Apr 2014 00:06:46 -0700
X-SMTPCOM-Tracking-Number: 49f61f3c-42d5-47a7-91ca-0631251aca4c
X-SMTPCOM-Sender-ID: 6001689
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
This is a multi-part message in MIME format
--Si3q2MkLplfvSjo1bPsfGhL=_Zd1lqAOnT
Content-Type: multipart/alternative;
boundary="E3ds9G5Tm1O3h=_2A5t6vfIbwqcOc6GQmQ"
--E3ds9G5Tm1O3h=_2A5t6vfIbwqcOc6GQmQ
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BFHello,
We are sorry to late , we attach in this email all the information you=
need about your account with us.
if you have any qouestion please contact us again.
Thank you
Antony Lewis
Business Development
https://www.itbit.com | [email protected] | +65 9296 4222
Jump to: