Author

Topic: MtGox spoof mail+site (Read 2201 times)

sr. member
Activity: 266
Merit: 250
August 28, 2011, 02:39:10 AM
#16
I received a response from the hosting company from which the email originated stating that the account has been closed. Unfortunately, the phishing site itself seems to be hosted elsewhere (fwef33.tmweb.ru.)

Am I the only person that got redirected to a Romanian blog? What's the problem if the link no longer goes to the phishing site?
legendary
Activity: 1204
Merit: 1015
August 28, 2011, 01:52:26 AM
#15
Looks like Firefox is blocking it now.  Smiley
full member
Activity: 134
Merit: 102
August 28, 2011, 12:28:29 AM
#14
I received a response from the hosting company from which the email originated stating that the account has been closed. Unfortunately, the phishing site itself seems to be hosted elsewhere (fwef33.tmweb.ru.)
hero member
Activity: 560
Merit: 500
August 27, 2011, 11:30:06 PM
#13
Seems they are lurkers...

I think it's just difficult for PhishTank users unfamiliar with Bitcoin to decide whether this is a real site or a phish.

Looks like we are winning.
administrator
Activity: 5222
Merit: 13032
August 27, 2011, 11:03:02 PM
#12
Seems they are lurkers...

I think it's just difficult for PhishTank users unfamiliar with Bitcoin to decide whether this is a real site or a phish.
hero member
Activity: 560
Merit: 500
August 27, 2011, 10:28:16 PM
#11
I submitted it to PhishTank:
http://www.phishtank.com/phish_detail.php?phish_id=1262006&frame=details
Vote for its confirmation if you have a PhishTank account.

Seems they are lurkers...
administrator
Activity: 5222
Merit: 13032
August 27, 2011, 10:26:16 PM
#10
I submitted it to PhishTank:
http://www.phishtank.com/phish_detail.php?phish_id=1262006&frame=details
Vote for its confirmation if you have a PhishTank account.
hero member
Activity: 700
Merit: 500
August 27, 2011, 09:29:57 PM
#9
could tell MagicalTux or someone over there about what fake info you reply with,
(just put in legit looking info)
then could use that to possibly identify them or at least block the addresses.

Already told him.
member
Activity: 84
Merit: 10
August 27, 2011, 09:28:27 PM
#8
could tell MagicalTux or someone over there about what fake info you reply with,
(just put in legit looking info)
then could use that to possibly identify them or at least block the addresses.
vip
Activity: 156
Merit: 103
Cleverly disguised as a responsible adult.
August 27, 2011, 09:18:48 PM
#7
Is there any indication that this is a widespread campaign among more than one Mt. Gox user, perhaps using the database leak data from the breach a while back, or are you the only recipient as far as you know?  I'm just wondering if this is more targeted spear-phishing or if they're casting a wider net...
hero member
Activity: 560
Merit: 500
August 27, 2011, 07:24:44 PM
#6
Anyone heard of drive-by's?
full member
Activity: 224
Merit: 100
August 27, 2011, 05:35:43 PM
#5
Oops I "accidently" entered a password.
U:Blowme
P:Gofuckyourself

My not just spam it with bogus account  info?
legendary
Activity: 1652
Merit: 2311
Chief Scientist
August 27, 2011, 05:28:31 PM
#4
I got a copy, too.  If you use gmail, use the 'Report phishing' function (in the Reply drop-down menu).
sr. member
Activity: 266
Merit: 250
August 27, 2011, 11:18:16 AM
#3
hxxp://mtgox.tk/users/login

Well, I tried that link just now and it redirects to a Romanian blog site on a .ro domain.

hxxp://www.niuzer.ro/Botosani/IMPRESIONANT-Testamentul-Reginiei-Maria-a-Romaniei-2637509.html?utm_source=twitterfeed&utm_medium=twitter
full member
Activity: 134
Merit: 102
August 27, 2011, 11:17:22 AM
#2
Of interest from the email headers:
Code:
Return-Path: 
Received: from xm33.hostsila.org (xm33.hostsila.org [194.28.87.253])
...
Received: from fewfewef by xm33.hostsila.org with local (Exim 4.69)
(envelope-from )

I sent off a quick message to the .TK abuse email letting them know about the issue.
legendary
Activity: 1937
Merit: 1001
August 27, 2011, 10:31:06 AM
#1
Just received an email from '[email protected]' with the news of 11-08-2011, a link in the message has the text of the mtgox newsletter link but truely links to:
hxxp://mtgox.tk/users/login

carefull if you got this email too.
Jump to: