Who would've known? A clone of this website actually exists!
If the phishing alarm hasn't gone off in your head, it's because multiple domains are registered often, especially in the BTC community. But read on and you'll learn to stay far away from it...
IntroductionI accidentally came upon this domain through a link on
CoinChat (inside chat, NOT the website itself), and it seems to be a very well built clone of bitcointalk.org. Sadly I didn't investigate before logging in...
RED FLAG 1: WHOISAccording to
WHOIS, this domain was registered 25-Jun-2013 02:47:37 UTC. The WHOIS information is blocked via WhoisGuard. The original domain's WHOIS, found
here, has information exposed and a more reasonable registration date.
Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the
Public Interest Registry registry database. The data in this record is provided by
Public Interest Registry for informational purposes only, and Public Interest Registry does
not
guarantee its accuracy. This service is intended only for query-based
access. You agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to: (a) allow,
enable, or otherwise support the transmission by e-mail, telephone, or
facsimile of mass unsolicited, commercial advertising or solicitations
to entities other than the data recipient's own existing customers; or
(b) enable high volume, automated, electronic processes that send
queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or
modify existing registrations. All rights reserved. Public Interest Registry reserves
the right to modify these terms at any time. By submitting this query,
you agree to abide by this policy.
Domain ID:D169045063-LROR
Domain Name:BITCOIN-TALK.ORG
Created On:25-Jun-2013 02:47:36 UTC
Last Updated On:25-Jun-2013 02:47:37 UTC
Expiration Date:25-Jun-2014 02:47:36 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:ad655b4f1b565a9d
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard
Registrant Street1:11400 W. Olympic Blvd. Suite 200
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90064
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:+1.6613102107
Registrant FAX Ext.:
Registrant Email:
[email protected]Admin ID:ad655b4f1b565a9d
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard
Admin Street1:11400 W. Olympic Blvd. Suite 200
Admin Street2:
Admin Street3:
Admin City:Los Angeles
Admin State/Province:CA
Admin Postal Code:90064
Admin Country:US
Admin Phone:+1.6613102107
Admin Phone Ext.:
Admin FAX:+1.6613102107
Admin FAX Ext.:
Admin Email:
[email protected]Tech ID:ad655b4f1b565a9d
Tech Name:WhoisGuard Protected
Tech Organization:WhoisGuard
Tech Street1:11400 W. Olympic Blvd. Suite 200
Tech Street2:
Tech Street3:
Tech City:Los Angeles
Tech State/Province:CA
Tech Postal Code:90064
Tech Country:US
Tech Phone:+1.6613102107
Tech Phone Ext.:
Tech FAX:+1.6613102107
Tech FAX Ext.:
Tech Email:
[email protected]Name Server:DNS1.REGISTRAR-SERVERS.COM
Name Server:DNS2.REGISTRAR-SERVERS.COM
Name Server:DNS3.REGISTRAR-SERVERS.COM
Name Server:DNS4.REGISTRAR-SERVERS.COM
Name Server:DNS5.REGISTRAR-SERVERS.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
RED FLAG 2: Different IPs$ ping bitcoin-talk.org
PING bitcoin-talk.org (162.216.3.182) 56(84) bytes of data.
64 bytes from 162.216.3.182: icmp_req=1 ttl=52 time=72.3 ms
--- bitcoin-talk.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 72.352/72.352/72.352/0.000 ms
$ ping bitcointalk.org
PING bitcointalk.org (109.201.133.65) 56(84) bytes of data.
--- bitcointalk.org ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
'nuf said. Additionally, the GeoIP for the naughty IP declares it as United States, with no specific location. ARIN, however, gives some more
detailed information:
Network
NetRange 162.216.3.128 - 162.216.3.255
CIDR 162.216.3.128/25
Name CRISSIC-SOLUTIONS
Handle NET-162-216-3-128-1
Parent NODESDIRECT (NET-162-216-0-0-1)
Net Type Reassigned
Origin AS AS19531
Customer Private Customer (C04617459)
Registration Date 2013-06-23
Last Updated 2013-06-23
Comments
RESTful Link http://whois.arin.net/rest/net/NET-162-216-3-128-1
See Also Upstream network's resource POC records.
See Also Upstream organization's POC records.
See Also Related delegations.
Customer
Name Private Customer
Handle C04617459
Street Private Residence
City Springfield
State/Province MO
Postal Code 65807
Country US
Registration Date 2013-06-23
Last Updated 2013-06-23
Comments
RESTful Link http://whois.arin.net/rest/customer/C04617459
See Also Upstream network's resource POC records.
See Also Upstream organization's POC records.
Seems to be related to
this VPS company. The phisher is probably a customer of said company. In a very unlikely scenario, the company is running the scheme, but that's unlikely...
GeoIP for legitimate website:
109.201.133.65 NL Rozendaal, Provincie Gelderland, Netherlands, Europe 52.0074, 5.9654 NForce Entertainment B.V. NForce Entertainment B.V.
ConclusionNevertheless, I logged in mindlessly BEFORE conducting this investigation!
It seems to redirect you to the home page without an actual login, very likely storing your account details in the process.
I have since changed my password, and if you've accessed and tried to login with this website, you should too!
I must admit though, whoever designed this little phish did a pretty good job...