Topic: Mt Gox email spoof...don't fall for it (Read 2523 times)
Notice [email protected]? No one could really be that dumb, could they?
So if you just visit the base of the site: 188.190.99.224 and click "view source", you find something interesting:
Code:
Whois:
IP : 188.190.99.224 Neighborhood
Host : tradz.infium.net Not OK
Country : Ukraine
Location:
http://www.infosniper.net/index.php?ip_address=188.190.99.224&map_source=1&overview_map=1&lang=1&map_type=1&zoom_level=7
IP : 188.190.99.224 Neighborhood
Host : tradz.infium.net Not OK
Country : Ukraine
Location:
http://www.infosniper.net/index.php?ip_address=188.190.99.224&map_source=1&overview_map=1&lang=1&map_type=1&zoom_level=7
Quote
Reported Phishing Website Ahead!
Google Chrome has blocked access to 188.190.99.224. This website has been reported as a phishing website.
Phishing websites are designed to trick you into disclosing your login, password or other sensitive information by disguising themselves as other websites you may trust.
Google Chrome has blocked access to 188.190.99.224. This website has been reported as a phishing website.
Phishing websites are designed to trick you into disclosing your login, password or other sensitive information by disguising themselves as other websites you may trust.
Besides, the fact that the address it's pointing you to is an IP address and not mtgox.com should set off your alarms before you even click it, if the email alone is not enough...
Can you post the full email headers?
Code:
[Some headers]
It's good you're warning people but phew it amazes me the scams and such Bitcoin people are falling for these days lol >_> it should be common knowledge now that all these companies already have your details and can do whatever they need to do right from their own computers.
yeah, i filled it in
username: yomommashouse
password:
i didnt check to see what javascript was on there, but mine is disabled
username: yomommashouse
password:
i didnt check to see what javascript was on there, but mine is disabled
Let's piss off the attackers and everyone fill in random wrong info 
Can you post the full email headers?
Code:
x-store-info:8Rlnjmxvy6L6cXs23gz/9HW3P3dIQ3IM1LzSJUtLUc4yN+HKAcM7JKKiY+saelOcD955T9yOw8f7HRE94ouZY2wNCjK2IqFhg0CuxfbbOdhQ8+gRAm/8reg8Ou22/6FEiD1MkCrNqVI=
Authentication-Results: hotmail.com; spf=pass (sender IP is 166.78.69.32) [email protected]; dkim=none header.d=mtgox.com; x-hmca=none
X-SID-PRA: [email protected]
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: s1:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0yO1NDTD0w
X-Message-Info: NhFq/7gR1vT/eGKLQPiFtR0wfNb/evU7Xcr8z3t50NldkK0korF+jKKL4cOtdOfJpJF6PJdsXjrKwfTT8LV9NItesF5vDqHTwfhQBhEVTAVl9GF9GLk0EV8uQas/+U1RXTCw1q7DZXfavDeGljMIQA==
Received: from m69-32.mailgun.net ([166.78.69.32]) by BAY0-MC3-F6.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sat, 30 Mar 2013 11:38:59 -0700
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mailgun.org; q=dns/txt; s=mg;
t=1364668738; h=Reply-To: From: Subject: Date: Mime-Version:
Content-Type: Content-Transfer-Encoding: Message-Id: Sender;
bh=eXdry3sgeZK7PlNGlFsH8jy8vitEz8aUU9HbC+BV2nM=; b=UCNoQLw4ONdNRzbOuvhw1hTV/rljrQY/i7U7n0Le+KSWARAfo8HaNvHr9/toHbXBzQ22dB0d
TGFrmFq2e+Lan6OQl7amSQkuGgp0dtH3I+Z8jB7hE72jSkcCCS3oYP29n5p1Nl9AvgpFfAGd
mroLKD/HrXOT98DokezjcYC120M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mailgun.org; s=mg; q=dns;
h=Reply-To: From: Subject: Date: Mime-Version: Content-Type:
Content-Transfer-Encoding: Message-Id: Sender;
b=JCeyX/Fg/w7Tcq8M9+QRFVgqsvX2RmfU7zL6rafAkh2q0j/O45dwLgjVsl0BYwPH3sFbcz
e13pZre4NMPAnui6UAFNWjfESeNx7wswDH8zPB6ULERva040d5c3rDuZhOiAUAtR/0DXHZmp
0C4kLib/OkSc04z0hLKB/U6HyqlFw=
Received: by luna.mailgun.net with SMTP mgrt 8758583633337; Sat, 30 Mar 2013
18:38:57 +0000
Received: from User (dab-crx1-h-1-8.dab.02.net [82.132.226.244]) by
mxa.mailgun.org with ESMTP id 5157313b.557f300-in2; Sat, 30 Mar 2013
18:38:51 -0000 (UTC)
Reply-To:
From: "Mt.Gox"
Subject: [Mt.Gox] Account Verification
Date: Sat, 30 Mar 2013 18:38:57 -0000
Mime-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <[email protected]>
X-Mailgun-Sid: WyI0OTM0NSIsICJ0YW1lc21jdGlndWVAaG90bWFpbC5jb20iLCAiYjc0MCJd
Sender: [email protected]
Bcc:
Return-Path: [email protected]
X-OriginalArrivalTime: 30 Mar 2013 18:38:59.0828 (UTC) FILETIME=[D7FABB40:01CE2D75]
Authentication-Results: hotmail.com; spf=pass (sender IP is 166.78.69.32) [email protected]; dkim=none header.d=mtgox.com; x-hmca=none
X-SID-PRA: [email protected]
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: s1:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0yO1NDTD0w
X-Message-Info: NhFq/7gR1vT/eGKLQPiFtR0wfNb/evU7Xcr8z3t50NldkK0korF+jKKL4cOtdOfJpJF6PJdsXjrKwfTT8LV9NItesF5vDqHTwfhQBhEVTAVl9GF9GLk0EV8uQas/+U1RXTCw1q7DZXfavDeGljMIQA==
Received: from m69-32.mailgun.net ([166.78.69.32]) by BAY0-MC3-F6.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sat, 30 Mar 2013 11:38:59 -0700
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mailgun.org; q=dns/txt; s=mg;
t=1364668738; h=Reply-To: From: Subject: Date: Mime-Version:
Content-Type: Content-Transfer-Encoding: Message-Id: Sender;
bh=eXdry3sgeZK7PlNGlFsH8jy8vitEz8aUU9HbC+BV2nM=; b=UCNoQLw4ONdNRzbOuvhw1hTV/rljrQY/i7U7n0Le+KSWARAfo8HaNvHr9/toHbXBzQ22dB0d
TGFrmFq2e+Lan6OQl7amSQkuGgp0dtH3I+Z8jB7hE72jSkcCCS3oYP29n5p1Nl9AvgpFfAGd
mroLKD/HrXOT98DokezjcYC120M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mailgun.org; s=mg; q=dns;
h=Reply-To: From: Subject: Date: Mime-Version: Content-Type:
Content-Transfer-Encoding: Message-Id: Sender;
b=JCeyX/Fg/w7Tcq8M9+QRFVgqsvX2RmfU7zL6rafAkh2q0j/O45dwLgjVsl0BYwPH3sFbcz
e13pZre4NMPAnui6UAFNWjfESeNx7wswDH8zPB6ULERva040d5c3rDuZhOiAUAtR/0DXHZmp
0C4kLib/OkSc04z0hLKB/U6HyqlFw=
Received: by luna.mailgun.net with SMTP mgrt 8758583633337; Sat, 30 Mar 2013
18:38:57 +0000
Received: from User (dab-crx1-h-1-8.dab.02.net [82.132.226.244]) by
mxa.mailgun.org with ESMTP id 5157313b.557f300-in2; Sat, 30 Mar 2013
18:38:51 -0000 (UTC)
Reply-To:
From: "Mt.Gox"
Subject: [Mt.Gox] Account Verification
Date: Sat, 30 Mar 2013 18:38:57 -0000
Mime-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <[email protected]>
X-Mailgun-Sid: WyI0OTM0NSIsICJ0YW1lc21jdGlndWVAaG90bWFpbC5jb20iLCAiYjc0MCJd
Sender: [email protected]
Bcc:
Return-Path: [email protected]
X-OriginalArrivalTime: 30 Mar 2013 18:38:59.0828 (UTC) FILETIME=[D7FABB40:01CE2D75]
That old leaked list rearing its ugly head again..
Can you post the full email headers?
It's very easy to spoof the "from:" address of an email.
I got the same email and just came on to post this. It is spoofed from [email protected] but the verification link points to a fishing site instead of the real one.
But you received the email from "[email protected]"? It's that an actual MtGox email account?
Down
It's up for me, just have to click though my browsers big red phishing warning. 
Down
Just received a very well done spoof email asking me to "re-verify my account" at Mt Gox because I used a VPN to access it. Don't fall for it! It sends you to a non-mtgox IP address that is a very well done copy of the real one. To test it I entered bogus account info and would you believe it! I got confirmed! I'm sure they'll get access to some accounts with this...It looks very authentic.
Here's the text of the spoof...
From: "Mt.Gox"<[email protected]>
Date: March 30, 2013, 1:39:08 PM EDT
Subject: [Mt.Gox] Account Verification.
Reply-To: <[email protected]>
Dear User,
We stated when you registered an account with us that accessing your
account via the Tor network and/or public proxies can lead to a temporary
suspension of your account, and having to submit AML documents to us.
You are recieving this e-mail because we suspect you of accessing
your account via the Tor network and/or public proxies.
To prevent your account from being suspended you are now required to
verify your account you must do this from your home network, without the
use of the Tor network and/or public proxies.
Click here to begin the verification process.
http://188.190.99.224/user-panel/
Best regards,
Mt.Gox team
[email protected]
Here's the text of the spoof...
From: "Mt.Gox"<[email protected]>
Date: March 30, 2013, 1:39:08 PM EDT
Subject: [Mt.Gox] Account Verification.
Reply-To: <[email protected]>
Dear User,
We stated when you registered an account with us that accessing your
account via the Tor network and/or public proxies can lead to a temporary
suspension of your account, and having to submit AML documents to us.
You are recieving this e-mail because we suspect you of accessing
your account via the Tor network and/or public proxies.
To prevent your account from being suspended you are now required to
verify your account you must do this from your home network, without the
use of the Tor network and/or public proxies.
Click here to begin the verification process.
http://188.190.99.224/user-panel/
Best regards,
Mt.Gox team
[email protected]
Jump to: