PSA: **WARNING** ACTIVE PHISHING CAMPAIGN AGAINST BitcoinTalk and BTC-e USERS

deisik

legendary

Activity: 3430

Merit: 1280

English ⬄ Russian Translation Services

Quote from: BTCforJoe on May 02, 2017, 10:27:07 PM

Quote from: HabBear on May 02, 2017, 10:19:50 PM

Please stop calling it phishing. That word doesn't mean anything related to IT, email, or hackers. The first rule about naming new "things" is to give it a name that relates to that "thing's" definition. Phishing isn't it. We need to stop using that word.

What are the spoofed emails asking for? How would we know if the email we received was part of this email hack?

Thanks for the PSA!

Technically, it is phishing if spoofed emails are being delivered to users. I'm assuming that these emails are a way to phish your password and/or private keys somehow.

OP, do you have any examples of what these spoofed emails look like?

I received such an email myself a few days ago

Basically, I was offered 4 Btc-e vouchers which I had to redeem within 4 days. It was clear that it was no more than a phishing attempt, but I got curious. So I fired up a virtual machine in a read-only mode, disconnected network and shared folders, opened the Microsoft Word document attached to the email and entered the password which was written in it. Quite naturally, there were no vouchers but some Windows script embedded (I had to switch off a few security features in Word to run it) and it tried to do some nefarious stuff but it failed miserably. If anyone is interested to look at that script (or in any other related info), I can send this email (but you should certainly know what you are doing)

ViceOfBTC21

sr. member

Activity: 438

Merit: 266

So I'm lucky and safe because I registered my account in 2017. And out of curiosity, were there any IDs in these leaks? If yes then Fiat depositors have problems.

Juggy777

hero member

Activity: 2646

Merit: 686

Quote from: bitsalame on May 02, 2017, 08:50:02 PM

Some asshole initiated a phishing campaign against the users of BTC-e and BitcoinTalk.
They are exploiting the leaked DBs from the major hacks in 2014 and 2015 respectively.

The ones I detected are:
1) Targeting BTC-E users: spoofed emails from LocalBitcoins
2) Targeting BTC-E users: spoofed emails from Blockchain.info
3) Targeting BitcoinTalk users: fake emails from Btc-e with some attached payload.
4) +Several failed login attempts.

The last thing I heard was that the BitcoinTalk DB was being offered for sale in 2016.
Considering this "explosive" sudden campaign my speculation is that either some asshole bought it or it was finally released to the public.

Users of BTC-e and BitcoinTalk who used the same emails to register to all these sites should take extra precaution.
I highly suggest to change not only the passwords of every service (if you haven't already... come on, it's been more than 3 years) AND ALSO change your email addresses.

If the database is of three years old or old in short I feel mostly higher ranked members shall be at risk than newbies and those who have joined a while back, but in any circumstances I feel every one should change his passwords and be on the safe side. What if it's a insider member who's been targeting people who he believes have loads of Bitcoins, without any offense to any members, such scammers could be among us and thanks to op now all will be aware and be safe.

luv2drnkbr

hero member

Activity: 793

Merit: 1016

Just chiming in to say I also got a bunch of phishing e-mails. The latest one purported to be from BTC-e and told me to open the attached docx file to read a message sent to me.

The e-mail address I received these messages on was one only registered to BTC-e and is NOT registered on MtGox or these Bitcointalk forums, which leads me to believe some kind of compromise might have happened at BTC-e.

bitsalame

donator

Activity: 714

Merit: 510

Preaching the gospel of Satoshi

Quote from: btcforall777 on May 04, 2017, 04:13:32 PM

I got 1 spoofing BTC-E.com. But I was not a dumb head to click on it.

Nice job! But these attempts were too unsophisticated, so be careful.
Having the userbase of a site is a goldmine for a sophisticated phisher, if he knows what to do.

The recommended course of action is to do exactly what I did: compartmentalize your email addresses.
Regards

Restmand

sr. member

Activity: 979

Merit: 258

thank you for informing us, there are different site that are made by men that are the goals is to steal and het all the money of the bitcoin users, phishing is a site that once you have been logged on your account , your password might be save on their databases and they even know your username or even your email, better to keep our security and take time to think what was we are opening.

btcforall777

full member

Activity: 235

Merit: 250

I got 1 spoofing BTC-E.com. But I was not a dumb head to click on it.

Wesimon

sr. member

Activity: 406

Merit: 250

https://gexcrypto.io

Quote from: HabBear on May 02, 2017, 10:19:50 PM

Please stop calling it phishing. That word doesn't mean anything related to IT, email, or hackers. The first rule about naming new "things" is to give it a name that relates to that "thing's" definition. Phishing isn't it. We need to stop using that word.

What are the spoofed emails asking for? How would we know if the email we received was part of this email hack?

Thanks for the PSA!

Why should we stop using the term "phishing"? It is a jargon or technical term in the field of computing (computer) so there is nothing wrong about using it. As defined on wikipedia, phishing is a term that pertains to maliciously attempting to get your private information such as username, password, etc. by disguising themselves as a trustworthy entity.

I do not know what is your deal with "phishing" at all. We should stop using that term if it is inappropriate but since it's the right term for the issue and it is the issue, then use it. You can always use other terms but all have their freedom to use any term they want so why force us to stop using that term.

bitsalame

donator

Activity: 714

Merit: 510

Preaching the gospel of Satoshi

Yes, but it is not just about being "more" active.
The things that grabs my attention is that they are being active at all. They could have exploited these leaks any time before.
I had zero phishing emails before, they kept them dormant for 4/5 years and they suddenly exploiting both userbases at the same time.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: bitsalame on May 03, 2017, 12:12:31 AM

Quote from: Wind_FURY on May 03, 2017, 12:09:03 AM

If you lurk in this forum long enough, you should know better than to click links from random users. Bitcoin is reaching new all time highs. It is to be expected that scammers and thieves start working again.

You clearly don't understand what phishing is, if you think you will be getting email looking like actually coming from a random person.
Read again my OP and try to deduce it again.

Yes sorry. Phishing are emails that look like the real thing but actually is not. But the point is still the same. Scammers and thieves are more motivated to steal now that Bitcoin is reaching new all time highs.

Dogeboi3210

newbie

Activity: 41

Merit: 0

Quote from: bitsalame on May 02, 2017, 08:50:02 PM

Some asshole initiated a phishing campaign against the users of BTC-e and BitcoinTalk.
They are exploiting the leaked DBs from the major hacks in 2014 and 2015 respectively.

The ones I detected are:
1) Targeting BTC-E users: spoofed emails from LocalBitcoins
2) Targeting BTC-E users: spoofed emails from Blockchain.info
3) Targeting BitcoinTalk users: fake emails from Btc-e with some attached payload.
4) +Several failed login attempts.

The last thing I heard was that the BitcoinTalk DB was being offered for sale in 2016.
Considering this "explosive" sudden campaign my speculation is that either some asshole bought it or it was finally released to the public.

Users of BTC-e and BitcoinTalk who used the same emails to register to all these sites should take extra precaution.
I highly suggest to change not only the passwords of every service (if you haven't already... come on, it's been more than 3 years) AND ALSO change your email addresses.

I've definitely gotten some sketch emails related to BTC-E. People need to be careful around these emails, because one mistake and your BTC is gone.

bitsalame

donator

Activity: 714

Merit: 510

Preaching the gospel of Satoshi

Quote from: buwaytress on May 03, 2017, 06:34:58 AM

Quote from: HabBear on May 03, 2017, 01:29:40 AM

Then it should be called "fishing"...if these people are trying to fish your password, private keys, bank info, etc.

The word was poorly chosen from the beginning. Everyone should stop using it. It makes no sense.

This really reminds me about pointless arguments about how to pronounce GIF... even the suggested pronunciation by its creators is never seen as definitive because there will always be people out there who think of language in their own rigid terms.

Phishing has been in use for 20 years and is accepted terminology.

Sounds like some kids just graduated from grammar school... it it is typical of teenagers to be hypercorrecting shit.

@HabBear Phishing is a established terminology in computer security, it describes a specific social engineering modality.
Go check the dictionary, the neologism has been added to every reputable dictionary available.

buwaytress

legendary

Activity: 2800

Merit: 3443

Join the world-leading crypto sportsbook NOW!

Quote from: HabBear on May 03, 2017, 01:29:40 AM

Then it should be called "fishing"...if these people are trying to fish your password, private keys, bank info, etc.

The word was poorly chosen from the beginning. Everyone should stop using it. It makes no sense.

This really reminds me about pointless arguments about how to pronounce GIF... even the suggested pronunciation by its creators is never seen as definitive because there will always be people out there who think of language in their own rigid terms.

Phishing has been in use for 20 years and is accepted terminology.

sportis

sr. member

Activity: 406

Merit: 252

Veni, Vidi, Vici

Hopefully I use a different email account for bitcointalk and localbitcoins. I have never notice any phishing attempt for the latter site. The truth is that I have a long time to use it and maybe this is the reason nobody interests about me. However thanks the @OP to aware us of these incidents.

davis196

hero member

Activity: 2968

Merit: 913

Quote from: bitsalame on May 02, 2017, 08:50:02 PM

Some asshole initiated a phishing campaign against the users of BTC-e and BitcoinTalk.
They are exploiting the leaked DBs from the major hacks in 2014 and 2015 respectively.

The ones I detected are:
1) Targeting BTC-E users: spoofed emails from LocalBitcoins
2) Targeting BTC-E users: spoofed emails from Blockchain.info
3) Targeting BitcoinTalk users: fake emails from Btc-e with some attached payload.
4) +Several failed login attempts.

The last thing I heard was that the BitcoinTalk DB was being offered for sale in 2016.
Considering this "explosive" sudden campaign my speculation is that either some asshole bought it or it was finally released to the public.

Users of BTC-e and BitcoinTalk who used the same emails to register to all these sites should take extra precaution.
I highly suggest to change not only the passwords of every service (if you haven't already... come on, it's been more than 3 years) AND ALSO change your email addresses.

I don`t have a BTC-e account and i changed my bitcointalk email one month ago.
This is enough for my account security,i quess.
Hackers are trying to hit the bitcoin price back to 1000 USD.

Kakmakr

legendary

Activity: 3430

Merit: 1957

Leading Crypto Sports Betting & Casino Platform

No matter what these people are doing < definition is not that important > it should be noted that there are active attempts by someone to steal our coins from many platforms. Change your passwords regularly and do not re-use the same passwords for all the different services.

Thanks OP, for giving everyone a early warning about this. ^smile^

AGD

legendary

Activity: 2069

Merit: 1164

Keeper of the Private Key

Quote from: HabBear on May 03, 2017, 01:29:40 AM

Quote from: BTCforJoe on May 02, 2017, 10:27:07 PM

Quote from: HabBear on May 02, 2017, 10:19:50 PM

Please stop calling it phishing. That word doesn't mean anything related to IT, email, or hackers. The first rule about naming new "things" is to give it a name that relates to that "thing's" definition. Phishing isn't it. We need to stop using that word.

What are the spoofed emails asking for? How would we know if the email we received was part of this email hack?

Thanks for the PSA!

Technically, it is phishing if spoofed emails are being delivered to users. I'm assuming that these emails are a way to phish your password and/or private keys somehow.

OP, do you have any examples of what these spoofed emails look like?

Then it should be called "fishing"...if these people are trying to fish your password, private keys, bank info, etc.

The word was poorly chosen from the beginning. Everyone should stop using it. It makes no sense.

Nobody uses the word "fishing" in connection with computer hacking. The "ph" in "phishing" defines it as hacking related and is widespread used. If I remember correct, the "ph" was first used in "phreaking", which was phone hacking back in the last millenium.
Something like the "Z" in "Warez" and Appz", which made clear, that this site is releasing cracked software.

HabBear

hero member

Activity: 1106

Merit: 637

Quote from: BTCforJoe on May 02, 2017, 10:27:07 PM

Quote from: HabBear on May 02, 2017, 10:19:50 PM

Please stop calling it phishing. That word doesn't mean anything related to IT, email, or hackers. The first rule about naming new "things" is to give it a name that relates to that "thing's" definition. Phishing isn't it. We need to stop using that word.

What are the spoofed emails asking for? How would we know if the email we received was part of this email hack?

Thanks for the PSA!

Technically, it is phishing if spoofed emails are being delivered to users. I'm assuming that these emails are a way to phish your password and/or private keys somehow.

OP, do you have any examples of what these spoofed emails look like?

Then it should be called "fishing"...if these people are trying to fish your password, private keys, bank info, etc.

The word was poorly chosen from the beginning. Everyone should stop using it. It makes no sense.

bitsalame

donator

Activity: 714

Merit: 510

Preaching the gospel of Satoshi

Quote from: BTCforJoe on May 02, 2017, 10:27:07 PM

Quote from: HabBear on May 02, 2017, 10:19:50 PM

Please stop calling it phishing. That word doesn't mean anything related to IT, email, or hackers. The first rule about naming new "things" is to give it a name that relates to that "thing's" definition. Phishing isn't it. We need to stop using that word.

What are the spoofed emails asking for? How would we know if the email we received was part of this email hack?

Thanks for the PSA!

Technically, it is phishing if spoofed emails are being delivered to users. I'm assuming that these emails are a way to phish your password and/or private keys somehow.

OP, do you have any examples of what these spoofed emails look like?

Ok these are the emails I've been getting:
First Email:

Quote

From: [email protected]
To: (address registered ONLY for btc-e)
Subject: [localbitcoins.com #36354 message from administrator.
Body:

Quote

[email protected] (recipient address)

Message:

Please check and secure your account.

You can login here https://localbitcoins.com/login/44641

Second Email:

Quote

From: [email protected]
To: (address registered ONLY for btc-e)
Subject: [localbitcoins.com #80654 message from administrator.
Body:

Quote

[email protected] (recipient address)

Message:

Please check and secure your account.

http://localbitcoins.com/login/51939

Third Email:

Quote

From: Blockchain noreplay@blockc (sic)
To: (address registered ONLY for btc-e)
Subject: Authorize log-in attempt.
Body:

Quote

Authorize log-in attempt (recipient's email address)

An attempt to login to your blockchain.info wallet was made from an unknown browser
Please check and secure your account.

Please Login here ! [Link: http://www.vanityonlinestore.com/mic/a266.php?(email address)

BlockChain Security Team.

Fourth email, in this attempt they were incredibly stupid and also incredibly sneaky at the same time. Even though they didn't even bother spoofing the email address, the phishing link uses unicode (the k is not ascii, it is the russian unicode) if they were clever enough, they could have registered that domain, pay for an ssl certificate and they could have had an indistinguishable blockchain.info spoof with a "green" ssl lock in the browser. But fortunately these guys are a bunch of careless amateurs.

Quote

From: Blockchain [email protected]
To: (address registered ONLY for btc-e)
Subject: Activate your email address
Body:

Quote

Fifth email:

Quote

From: Franks Keane [email protected] (? Seriously?)
To: (address registered ONLY for BitcoinTalk forums up to 2015)
Subject: BTC-e codes for (BitcoinTalk username)
Data:

Quote

Hello (BitcoinTalk Username).

Please review attached your BTC-e codes.

You have to use it within 6 hours.

Password is GLmsWjr50MJ6i. You have to type it to be able to open the document.

Thanks
Franks Keane
(Attached BitcoinTalkUsername.docx)

And lastly, the very first one actually targetted btc-e users, by spoofing btc-e itself.

Quote

From: BTC-e [email protected]
To: (address registered ONLY for BTC-e)
Subject: Please update your email account.
Data:

Quote

Dear Customer btce

Please update your email account.

https://www.btc-e.com/update-email/44tg4y2d
(Links to http://www.linkbucks.com/AjeTr?(email address registered for btce))

This phishing campaign started on Apr 22nd.
I had zero attempts for 4 years since the hack, and that was baffling considering that it was public knowledge that their DB was dumped from these two sites. I guess that the attackers were either saving it for the right moment, or were finally able to sold the DB or they just got tired of keeping it and made it public.

bitsalame

donator

Activity: 714

Merit: 510

Preaching the gospel of Satoshi

Quote from: Wind_FURY on May 03, 2017, 12:09:03 AM

If you lurk in this forum long enough, you should know better than to click links from random users. Bitcoin is reaching new all time highs. It is to be expected that scammers and thieves start working again.

You clearly don't understand what phishing is, if you think you will be getting email looking like actually coming from a random person.
Read again my OP and try to deduce it again.

Topic: PSA: **WARNING** ACTIVE PHISHING CAMPAIGN AGAINST BitcoinTalk and BTC-e USERS (Read 1102 times)

Topic: PSA: WARNING ACTIVE PHISHING CAMPAIGN AGAINST BitcoinTalk and BTC-e USERS (Read 1102 times)