Mt Gox email spoof...don't fall for it

jp

member

Activity: 69

Merit: 10

Notice [email protected]? No one could really be that dumb, could they?

jp

member

Activity: 69

Merit: 10

So if you just visit the base of the site: 188.190.99.224 and click "view source", you find something interesting:

Code:

Amitabh S

legendary

Activity: 1001

Merit: 1005

Whois:

IP    :   188.190.99.224      Neighborhood
Host    :   tradz.infium.net Not OK
Country    :   Ukraine

Location:

http://www.infosniper.net/index.php?ip_address=188.190.99.224&map_source=1&overview_map=1&lang=1&map_type=1&zoom_level=7

WiW

sr. member

Activity: 277

Merit: 250

"The public is stupid, hence the public will pay"

Quote

Reported Phishing Website Ahead!
Google Chrome has blocked access to 188.190.99.224. This website has been reported as a phishing website.
Phishing websites are designed to trick you into disclosing your login, password or other sensitive information by disguising themselves as other websites you may trust.

Besides, the fact that the address it's pointing you to is an IP address and not mtgox.com should set off your alarms before you even click it, if the email alone is not enough...

nimda

hero member

Activity: 784

Merit: 1000

0xFB0D8D1534241423

Quote from: Tamerz on March 30, 2013, 04:17:52 PM

Quote from: nimda on March 30, 2013, 03:45:25 PM

Can you post the full email headers?

Code:

[Some headers]

Classic sender spoof. Nothing to worry about.

Lethn

legendary

Activity: 1540

Merit: 1000

It's good you're warning people but phew it amazes me the scams and such Bitcoin people are falling for these days lol >_> it should be common knowledge now that all these companies already have your details and can do whatever they need to do right from their own computers.

zvs

legendary

Activity: 1680

Merit: 1000

https://web.archive.org/web/*/nogleg.com

yeah, i filled it in

username: yomommashouse
password: Shocked

i didnt check to see what javascript was on there, but mine is disabled

Meizirkki

hero member

Activity: 616

Merit: 500

Let's piss off the attackers and everyone fill in random wrong info Cheesy

Tamerz

full member

Activity: 148

Merit: 102

Quote from: nimda on March 30, 2013, 03:45:25 PM

Can you post the full email headers?

Code:

x-store-info:8Rlnjmxvy6L6cXs23gz/9HW3P3dIQ3IM1LzSJUtLUc4yN+HKAcM7JKKiY+saelOcD955T9yOw8f7HRE94ouZY2wNCjK2IqFhg0CuxfbbOdhQ8+gRAm/8reg8Ou22/6FEiD1MkCrNqVI=
Authentication-Results: hotmail.com; spf=pass (sender IP is 166.78.69.32) [email protected]; dkim=none header.d=mtgox.com; x-hmca=none
X-SID-PRA: [email protected]
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: s1:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0yO1NDTD0w
X-Message-Info: NhFq/7gR1vT/eGKLQPiFtR0wfNb/evU7Xcr8z3t50NldkK0korF+jKKL4cOtdOfJpJF6PJdsXjrKwfTT8LV9NItesF5vDqHTwfhQBhEVTAVl9GF9GLk0EV8uQas/+U1RXTCw1q7DZXfavDeGljMIQA==
Received: from m69-32.mailgun.net ([166.78.69.32]) by BAY0-MC3-F6.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Sat, 30 Mar 2013 11:38:59 -0700
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mailgun.org; q=dns/txt; s=mg;
 t=1364668738; h=Reply-To: From: Subject: Date: Mime-Version:
 Content-Type: Content-Transfer-Encoding: Message-Id: Sender;
 bh=eXdry3sgeZK7PlNGlFsH8jy8vitEz8aUU9HbC+BV2nM=; b=UCNoQLw4ONdNRzbOuvhw1hTV/rljrQY/i7U7n0Le+KSWARAfo8HaNvHr9/toHbXBzQ22dB0d
 TGFrmFq2e+Lan6OQl7amSQkuGgp0dtH3I+Z8jB7hE72jSkcCCS3oYP29n5p1Nl9AvgpFfAGd
 mroLKD/HrXOT98DokezjcYC120M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mailgun.org; s=mg; q=dns;
 h=Reply-To: From: Subject: Date: Mime-Version: Content-Type:
 Content-Transfer-Encoding: Message-Id: Sender;
 b=JCeyX/Fg/w7Tcq8M9+QRFVgqsvX2RmfU7zL6rafAkh2q0j/O45dwLgjVsl0BYwPH3sFbcz
 e13pZre4NMPAnui6UAFNWjfESeNx7wswDH8zPB6ULERva040d5c3rDuZhOiAUAtR/0DXHZmp
 0C4kLib/OkSc04z0hLKB/U6HyqlFw=
Received: by luna.mailgun.net with SMTP mgrt 8758583633337; Sat, 30 Mar 2013
 18:38:57 +0000
Received: from User (dab-crx1-h-1-8.dab.02.net [82.132.226.244]) by
 mxa.mailgun.org with ESMTP id 5157313b.557f300-in2; Sat, 30 Mar 2013
 18:38:51 -0000 (UTC)
Reply-To: 
From: "Mt.Gox"
Subject: [Mt.Gox] Account Verification
Date: Sat, 30 Mar 2013 18:38:57 -0000
Mime-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <[email protected]>
X-Mailgun-Sid: WyI0OTM0NSIsICJ0YW1lc21jdGlndWVAaG90bWFpbC5jb20iLCAiYjc0MCJd
Sender: [email protected]
Bcc:
Return-Path: [email protected]
X-OriginalArrivalTime: 30 Mar 2013 18:38:59.0828 (UTC) FILETIME=[D7FABB40:01CE2D75]

GernMiester

sr. member

Activity: 285

Merit: 250

That old leaked list rearing its ugly head again..

nimda

hero member

Activity: 784

Merit: 1000

0xFB0D8D1534241423

Can you post the full email headers?

jork

newbie

Activity: 15

Merit: 0

It's very easy to spoof the "from:" address of an email.

Tamerz

full member

Activity: 148

Merit: 102

I got the same email and just came on to post this. It is spoofed from [email protected] but the verification link points to a fishing site instead of the real one.

mufa23

legendary

Activity: 1022

Merit: 1001

I'd fight Gandhi.

But you received the email from "[email protected]"? It's that an actual MtGox email account?

spunit262

newbie

Activity: 18

Merit: 0

Quote from: jackjack on March 30, 2013, 02:37:41 PM

Down

It's up for me, just have to click though my browsers big red phishing warning.

jackjack

legendary

Activity: 1176

Merit: 1257

May Bitcoin be touched by his Noodly Appendage

Down

jork

newbie

Activity: 15

Merit: 0

Just received a very well done spoof email asking me to "re-verify my account" at Mt Gox because I used a VPN to access it. Don't fall for it! It sends you to a non-mtgox IP address that is a very well done copy of the real one. To test it I entered bogus account info and would you believe it! I got confirmed! I'm sure they'll get access to some accounts with this...It looks very authentic.

Here's the text of the spoof...

From: "Mt.Gox"<[email protected]>
Date: March 30, 2013, 1:39:08 PM EDT
Subject: [Mt.Gox] Account Verification.
Reply-To: <[email protected]>

Dear User,

We stated when you registered an account with us that accessing your
account via the Tor network and/or public proxies can lead to a temporary
suspension of your account, and having to submit AML documents to us.

You are recieving this e-mail because we suspect you of accessing
your account via the Tor network and/or public proxies.

To prevent your account from being suspended you are now required to
verify your account you must do this from your home network, without the
use of the Tor network and/or public proxies.

Click here to begin the verification process.
http://188.190.99.224/user-panel/

Best regards,
Mt.Gox team
[email protected]

Topic: Mt Gox email spoof...don't fall for it (Read 2514 times)