Topic: Mtgox mail server hacked?[Spoofed phishing Email] (Read 3602 times)
does gmail/yahoo allow viewing headers? can we block smtp.com there?
I get some spam from them, too. Seemingly Bitstamp eMails got leaked a while ago, too. (in addition to some older gox eMails): http://www.reddit.com/r/Bitcoin/comments/1zaqvy/bitstamp_email_list_used_to_spread_mtgox_malware/cfs21qr
Somebody tried telling?
Code:
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
It should have been immediately obvious it was fake because it was a communication from Mt. Gox :-)
roflbut seriously, i would like to know where did they got my email address
It should have been immediately obvious it was fake because it was a communication from Mt. Gox :-)
I got it too 
i feel honored some how.... 
i feel honored some how....
Just got this email as well and obviously mtgox has made no mention of reparations so this seemed odd.
Also the fact that the file was hosted at a site other than mtgox.com was strange. They have their own servers, why not use them?
Thirdly the file redirection was the tipping point.
These people have lost enough money from mtgox and now we are going to rip them off of their local wallets?
Wow some people are just to fucking edgy for me.
When they say that money is the root of all evil this is what they mean.
Also the fact that the file was hosted at a site other than mtgox.com was strange. They have their own servers, why not use them?
Thirdly the file redirection was the tipping point.
These people have lost enough money from mtgox and now we are going to rip them off of their local wallets?
Wow some people are just to fucking edgy for me.
When they say that money is the root of all evil this is what they mean.
It's been a boring day at work, so i thought i would help. The IP address 216.55.179.253 belongs to a company called Codero. Here is the website: www.codero.com They are a hosting site and are known to host Spam servers as i found out here: http://www.forumpostersunion.com/showthread.php?t=22423
Here is their WhoIs info:
If you notice this section here:
I know what you're thinking, what about the download? The truth, i cant look at it here at work, but can tell that it comes from http://deseobc.com/ and here is the Whois info for this site: And all this matches up because the name on the Whois is the same name that is on the main page that says: "Powered by Mau Gaona." The lesson for today kids, If your going to try to steal from someone, don't sign the damn page hosting the download!
Here is their WhoIs info:
Code:
NetRange: 216.55.176.0 - 216.55.187.255
CIDR: 216.55.184.0/22, 216.55.176.0/21
OriginAS: AS10316
NetName: CODERO1999A
NetHandle: NET-216-55-176-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
RegDate: 1999-05-28
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-216-55-176-0-1
OrgName: Codero
OrgId: APHIN
Address: 5750 W. 95th St., Suite 300
City: Overland Park
StateProv: KS
PostalCode: 66207
Country: US
RegDate: 2009-07-21
Updated: 2013-12-03
Ref: http://whois.arin.net/rest/org/APHIN
OrgAbuseHandle: APHAB-ARIN
OrgAbuseName: APH Abuse
OrgAbusePhone: +1-866-226-3376
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/APHAB-ARIN
OrgTechHandle: ADA108-ARIN
OrgTechName: APH DNS Administrator
OrgTechPhone: +1-866-226-3376
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/ADA108-ARIN
If you notice this section here:
Quote
Received: from mailer223.gate181.sl.smtp.com (unknown [192.40.181.223])
by mx46 (Coremail) with SMTP id YMCowEDp30d3Kg5TuhQ7Cw--.1133S2;
Thu, 27 Feb 2014 01:55:05 +0800 (CST)
This tells me that the original was sent from the Ip to [email protected]. Smtp.com is being used like a proxy server to get past Codero's spam filter. That would also explain why they had to use port: 61709 as seen here: by mx46 (Coremail) with SMTP id YMCowEDp30d3Kg5TuhQ7Cw--.1133S2;
Thu, 27 Feb 2014 01:55:05 +0800 (CST)
Quote
Received: from [216.55.179.253] ([216.55.179.253:61709] helo=216-55-179-253.dedicated.codero.net)
I know what you're thinking, what about the download? The truth, i cant look at it here at work, but can tell that it comes from http://deseobc.com/ and here is the Whois info for this site:
Code:
Domain Name: DESEOBC.COM
Registry Domain ID:
Registrar WHOIS Server: whois.neubox.com
Registrar URL: http://neubox.com/
Updated Date: 10-Jul-2013
Creation Date: 11-Mar-2013
Registrar Registration Expiration Date: 11-Mar-2014
Registrar: NEUBOX Internet S.A. de C.V.
Registrar IANA ID: 1483
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +524448100982
Domain Status: clientTransferProhibited
Registry Registrant ID: NBX_24167807
Registrant Name: Mauricio Gaona Olivo
Registrant Organization: MS Consulting
Registrant Street: Iglesia 130
Registrant City: Mexico
Registrant State/Province: Distrito Federal
Registrant Postal Code: 01900
Registrant Country: MX
Registrant Phone: +52.36156415
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID: NBX_24167807
Admin Name: Mauricio Gaona Olivo
Admin Organization: MS Consulting
Admin Street: Iglesia 130
Admin City: Mexico
Admin State/Province: Distrito Federal
Admin Postal Code: 01900
Admin Country: MX
Admin Phone: +52.36156415
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID: NBX_24167807
Tech Name: Mauricio Gaona Olivo
Tech Organization: MS Consulting
Tech Street: Iglesia 130
Tech City: Mexico
Tech State/Province: Distrito Federal
Tech Postal Code: 01900
Tech Country: MX
Tech Phone: +52.36156415
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:
Name Server: ns143.neubox.net
Name Server: ns144.neubox.net
This IP: 216.55.179.253 is probably not from MtGox. It is coming from the US. The link to the pdf is already not working.
That was actually not a PDF, but a .PIF file (note the "?" before the alleged file name, which triggered a server-side script that actually returned a completely different file).
This IP: 216.55.179.253 is probably not from MtGox. It is coming from the US. The link to the pdf is already not working.
The malware link is included, be careful openning it.
You don't need to hack their email server to send phishing emails such as this one.
The malware link is included, be careful openning it.
Received: from mailer223.gate181.sl.smtp.com (unknown [192.40.181.223])
by mx46 (Coremail) with SMTP id YMCowEDp30d3Kg5TuhQ7Cw--.1133S2;
Thu, 27 Feb 2014 01:55:05 +0800 (CST)
Return-Path: <[email protected]>
X-MSFBL: aGdhbWV6b29tQDE2My5jb21AMTkyXzQwXzE4MV8yMjNATW9udGhseUA=
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; [email protected]; t=1393437303;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=RlEPvQ2wTbC1TdI3QqtLGxBIs8vf6Ave71VYWUFsh9M=;
b=ZvaSNdIH0AYf1HhC4Jh9y7Mpa2gwlhHpKQFMVJEC9ylCCaNOAVa2J72SKqiZ2GbN
tUWIKRbbZB4dnhz3kZMDfBf9ISU3s+RpwKCs3cbiH3Lo1ajwMfEwPblkFFhDrQZV
pPiRd0rudPIwzOLX6YWRwGokXA2fS2XL439o5e27G3g=;
Received: from [216.55.179.253] ([216.55.179.253:61709] helo=216-55-179-253.dedicated.codero.net)
by sl-mta06.smtp.com (envelope-from <[email protected]>)
(ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
id CD/91-28532-67A2E035; Wed, 26 Feb 2014 17:55:03 +0000
From: "[email protected]" <[email protected]>
Message-ID:
Subject: Dear MtGox Customers
To: "xxxx" <[email protected]>
Content-Type: multipart/alternative; boundary="TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM"
MIME-Version: 1.0
Organization: [email protected]
Date: Wed, 26 Feb 2014 10:54:11 -0700
X-SMTPCOM-Tracking-Number: b442d38f-0ed8-421a-bcd0-4fa0b12cbe4d
X-SMTPCOM-Sender-ID: 6004374
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
X-CM-TRANSID:YMCowEDp30d3Kg5TuhQ7Cw--.1133S2
Authentication-Results: mx46; spf=neutral [email protected]; dk
im=pass [email protected]
X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73
VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxU4AR6UUUUU
This is a multi-part message in MIME format
--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BFDear MtGox Customers,
Please sign the papers attached, we can complete the process of closin=
g the account and send you what the balance to another Wallet Address.=
Sincerely,
Mark Karpeles
February 26th 2014
Download Documents
--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BF
--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM--
by mx46 (Coremail) with SMTP id YMCowEDp30d3Kg5TuhQ7Cw--.1133S2;
Thu, 27 Feb 2014 01:55:05 +0800 (CST)
Return-Path: <[email protected]>
X-MSFBL: aGdhbWV6b29tQDE2My5jb21AMTkyXzQwXzE4MV8yMjNATW9udGhseUA=
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; [email protected]; t=1393437303;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=RlEPvQ2wTbC1TdI3QqtLGxBIs8vf6Ave71VYWUFsh9M=;
b=ZvaSNdIH0AYf1HhC4Jh9y7Mpa2gwlhHpKQFMVJEC9ylCCaNOAVa2J72SKqiZ2GbN
tUWIKRbbZB4dnhz3kZMDfBf9ISU3s+RpwKCs3cbiH3Lo1ajwMfEwPblkFFhDrQZV
pPiRd0rudPIwzOLX6YWRwGokXA2fS2XL439o5e27G3g=;
Received: from [216.55.179.253] ([216.55.179.253:61709] helo=216-55-179-253.dedicated.codero.net)
by sl-mta06.smtp.com (envelope-from <[email protected]>)
(ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
id CD/91-28532-67A2E035; Wed, 26 Feb 2014 17:55:03 +0000
From: "[email protected]" <[email protected]>
Message-ID:
Subject: Dear MtGox Customers
To: "xxxx" <[email protected]>
Content-Type: multipart/alternative; boundary="TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM"
MIME-Version: 1.0
Organization: [email protected]
Date: Wed, 26 Feb 2014 10:54:11 -0700
X-SMTPCOM-Tracking-Number: b442d38f-0ed8-421a-bcd0-4fa0b12cbe4d
X-SMTPCOM-Sender-ID: 6004374
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
X-CM-TRANSID:YMCowEDp30d3Kg5TuhQ7Cw--.1133S2
Authentication-Results: mx46; spf=neutral [email protected]; dk
im=pass [email protected]
X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73
VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxU4AR6UUUUU
This is a multi-part message in MIME format
--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BFDear MtGox Customers,
Please sign the papers attached, we can complete the process of closin=
g the account and send you what the balance to another Wallet Address.=
Sincerely,
Mark Karpeles
February 26th 2014
Download Documents
--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BF
Dear MtGox Customers,
Please sign the papers attached, we can complete the process of clo=
sing the account and send you what the balance to another Wallet Addre=
ss.
Sincerely,
Mark Karpeles
February 26th 2014
&nb=
sp; http://deseobc.c=
om/style/imports/mtgox/?PaperMtgox.pdf">Download Documents>
http://deseobc.com/style/impor=
ts/mtgox/?PaperMtgox.pdf">ttp://deseobc.com/img/video/Untitled.jpg" align=3Dbottom>
--TuM4rWo1pPFiyH=_PHNNaSl5EHIeQWbeaM--
Email senders probably spoofed. Post the email header if know how.
If you can send me a sample of the malware, I would be interested to look at it.
If you can send me a sample of the malware, I would be interested to look at it.
Anyone received an email from [email protected] today?
Dear MtGox Customers,
Please sign the papers attached, we can complete the process of closing the account and send you what the balance to another Wallet Address.
Sincerely,
Mark Karpeles
February 26th 2014
Download Documents
The attachment is proved to be a trojan.
Dear MtGox Customers,
Please sign the papers attached, we can complete the process of closing the account and send you what the balance to another Wallet Address.
Sincerely,
Mark Karpeles
February 26th 2014
Download Documents
The attachment is proved to be a trojan.
Jump to: