Author

Topic: SCAM: bitcoin-talk.org (Read 974 times)

hero member
Activity: 661
Merit: 502
June 27, 2013, 09:56:34 PM
#5
Filtered now, thanks for the fast action.
legendary
Activity: 1288
Merit: 1227
Away on an extended break
June 27, 2013, 12:57:26 PM
#4
Nah, this isn't the first time the forum is cloned. There's a lot more domains that was spammed here a few months ago to phish. Please report such occurrences when you see them, and please check the address before entering your address anywhere. Or better still, get a good password manager.
legendary
Activity: 1134
Merit: 1118
June 27, 2013, 01:18:50 AM
#3
Dat ref link in OP's post when he mentions CoinChat Wink

I don't think we can do anything about this though, other than post warnings.
full member
Activity: 231
Merit: 100
June 26, 2013, 11:05:05 PM
#2
Well, that would certainly explain the vast number of hacked accounts lately.
newbie
Activity: 50
Merit: 0
June 26, 2013, 09:21:57 PM
#1
Who would've known? A clone of this website actually exists! Grin If the phishing alarm hasn't gone off in your head, it's because multiple domains are registered often, especially in the BTC community. But read on and you'll learn to stay far away from it...

Introduction
I accidentally came upon this domain through a link on CoinChat (inside chat, NOT the website itself), and it seems to be a very well built clone of bitcointalk.org. Sadly I didn't investigate before logging in...

RED FLAG 1: WHOIS
According to WHOIS, this domain was registered 25-Jun-2013 02:47:37 UTC. The WHOIS information is blocked via WhoisGuard. The original domain's WHOIS, found here, has information exposed and a more reasonable registration date.

Code:
Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the
Public Interest Registry registry database. The data in this record is provided by
Public Interest Registry for informational purposes only, and Public Interest Registry does
not
guarantee its accuracy.  This service is intended only for query-based
access. You agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to: (a) allow,
enable, or otherwise support the transmission by e-mail, telephone, or
facsimile of mass unsolicited, commercial advertising or solicitations
to entities other than the data recipient's own existing customers; or
(b) enable high volume, automated, electronic processes that send
queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or
modify existing registrations. All rights reserved. Public Interest Registry reserves
the right to modify these terms at any time. By submitting this query,
you agree to abide by this policy.

Domain ID:D169045063-LROR
Domain Name:BITCOIN-TALK.ORG
Created On:25-Jun-2013 02:47:36 UTC
Last Updated On:25-Jun-2013 02:47:37 UTC
Expiration Date:25-Jun-2014 02:47:36 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:ad655b4f1b565a9d
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard
Registrant Street1:11400 W. Olympic Blvd. Suite 200
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90064
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:+1.6613102107
Registrant FAX Ext.:
Registrant Email:[email protected]
Admin ID:ad655b4f1b565a9d
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard
Admin Street1:11400 W. Olympic Blvd. Suite 200
Admin Street2:
Admin Street3:
Admin City:Los Angeles
Admin State/Province:CA
Admin Postal Code:90064
Admin Country:US
Admin Phone:+1.6613102107
Admin Phone Ext.:
Admin FAX:+1.6613102107
Admin FAX Ext.:
Admin Email:[email protected]
Tech ID:ad655b4f1b565a9d
Tech Name:WhoisGuard Protected
Tech Organization:WhoisGuard
Tech Street1:11400 W. Olympic Blvd. Suite 200
Tech Street2:
Tech Street3:
Tech City:Los Angeles
Tech State/Province:CA
Tech Postal Code:90064
Tech Country:US
Tech Phone:+1.6613102107
Tech Phone Ext.:
Tech FAX:+1.6613102107
Tech FAX Ext.:
Tech Email:[email protected]
Name Server:DNS1.REGISTRAR-SERVERS.COM
Name Server:DNS2.REGISTRAR-SERVERS.COM
Name Server:DNS3.REGISTRAR-SERVERS.COM
Name Server:DNS4.REGISTRAR-SERVERS.COM
Name Server:DNS5.REGISTRAR-SERVERS.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

RED FLAG 2: Different IPs
Code:
$ ping bitcoin-talk.org
PING bitcoin-talk.org (162.216.3.182) 56(84) bytes of data.
64 bytes from 162.216.3.182: icmp_req=1 ttl=52 time=72.3 ms

--- bitcoin-talk.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 72.352/72.352/72.352/0.000 ms

$ ping bitcointalk.org
PING bitcointalk.org (109.201.133.65) 56(84) bytes of data.

--- bitcointalk.org ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

'nuf said. Additionally, the GeoIP for the naughty IP declares it as United States, with no specific location. ARIN, however, gives some more detailed information:
Code:
Network
NetRange 162.216.3.128 - 162.216.3.255
CIDR 162.216.3.128/25
Name CRISSIC-SOLUTIONS
Handle NET-162-216-3-128-1
Parent NODESDIRECT (NET-162-216-0-0-1)
Net Type Reassigned
Origin AS AS19531
Customer Private Customer (C04617459)
Registration Date 2013-06-23
Last Updated 2013-06-23
Comments
RESTful Link http://whois.arin.net/rest/net/NET-162-216-3-128-1
See Also Upstream network's resource POC records.
See Also Upstream organization's POC records.
See Also Related delegations.


Customer
Name Private Customer
Handle C04617459
Street Private Residence
City Springfield
State/Province MO
Postal Code 65807
Country US
Registration Date 2013-06-23
Last Updated 2013-06-23
Comments
RESTful Link http://whois.arin.net/rest/customer/C04617459
See Also Upstream network's resource POC records.
See Also Upstream organization's POC records.

Seems to be related to this VPS company. The phisher is probably a customer of said company. In a very unlikely scenario, the company is running the scheme, but that's unlikely...

GeoIP for legitimate website:
Code:
109.201.133.65 NL Rozendaal, Provincie Gelderland, Netherlands, Europe 52.0074, 5.9654 NForce Entertainment B.V. NForce Entertainment B.V.

Conclusion
Nevertheless, I logged in mindlessly BEFORE conducting this investigation! Tongue It seems to redirect you to the home page without an actual login, very likely storing your account details in the process.

I have since changed my password, and if you've accessed and tried to login with this website, you should too!

I must admit though, whoever designed this little phish did a pretty good job...
Jump to: