Author

Topic: Two new MtGox phising websites, always check for HTTPS (Read 1754 times)

newbie
Activity: 14
Merit: 100
omg, I accidently clicked mtgox.de today, but I closed it like in few seconds? Should i worry about it? Could I have virus by now?

If you dont use Internet explorer and you do not downloaded any .exe you are fine.

You can always run a virus check  Wink

No, I didn't download anything obv and I don't use IE. thx.
There was a banner of mtgox.de at the cryptocoincharts.info
rme
hero member
Activity: 756
Merit: 504
Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.

Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis.


This zip contains the two MTGOX viruses:
(CAUTION, VIRUS)http://xena.ww7.be/wsj/trojan.zip (CAUTION, VIRUS)

https://malwr.com/submission/status/MTEwZDcyNTM2ZTYzNGVmYTljNTMwMDBkOWU0MTVkNzU/
https://www.virustotal.com/es/file/d262bb2faf6d0bcd7064e0b51509dbbca7c8c90ac97d4e07fc97e527fa915833/analysis/1369856227/
legendary
Activity: 1274
Merit: 1004
Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.

Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis.
rme
hero member
Activity: 756
Merit: 504
omg, I accidently clicked mtgox.de today, but I closed it like in few seconds? Should i worry about it? Could I have virus by now?

If you dont use Internet explorer and you do not downloaded any .exe you are fine.

You can always run a virus check  Wink
rme
hero member
Activity: 756
Merit: 504
UPDATES:
mtgox.de is now in the phising list (blocked by most browsers)
new phising domain hxxp://mtgox.net
new phising domain hxxp://mtgox.co.uk
rme
hero member
Activity: 756
Merit: 504
Did Mtgox confirm it was a scam?
I don't think they did.

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.
newbie
Activity: 56
Merit: 0
A few important things to understand:
- google fishing is not used by IE, Opera, Safari, etc.
- the whois information is faked, so don't bother reporting the guy, you don't know him.
- the green bar in the browser unfortunately doesn't mean much, as it's rather easy to get a EEV certificate for any domain for the "Mtgox Tibanne" name. The only thing of value is the domain name in your address bar.
hero member
Activity: 728
Merit: 500
Reported - thanks for the quick documentation to make this easy!
full member
Activity: 140
Merit: 100
I will report this person to the german police its a fraud attempt.
legendary
Activity: 1428
Merit: 1001
Okey Dokey Lokey
Thanks!, I reported the sites just as you suggested
I dont even use mtgox
hero member
Activity: 602
Merit: 500
R.I.P Silk Road 1.0
full member
Activity: 231
Merit: 100
Did Mtgox confirm it was a scam?
I don't think they did.

What's to confirm?

The MtGox website says:

Quote
IMPORTANT: If you don't see a green bar in your browser URL input like the image below, you might be on a phishing website! Always be very careful of that when you login.

(The fact that they haven't edited that part out of the phishing site is a nice touch.)

If you submit the form, your username and password get sent to mtgox.de. That domain points to 74.86.83.82, which is a SoftLayer IP address.
full member
Activity: 238
Merit: 100
hero member
Activity: 602
Merit: 500
R.I.P Silk Road 1.0
Either way it's good to know. Thanks for the heads up OP.
newbie
Activity: 56
Merit: 0
Did Mtgox confirm it was a scam?
I don't think they did.
legendary
Activity: 1274
Merit: 1004
Actually i checked source code and it's suspicious for sure.

Real mtgox
http://pastie.org/7980108

mtgox.de
http://pastie.org/7980104
legendary
Activity: 1274
Merit: 1004
Well whois data of mtgox.de .net and .org is same.

and mtgox guys are acting dumb.  

https://twitter.com/c0k3in/statuses/339716874373849088


https://dazzlepod.com/ip/74.86.83.82/

who.is data of mtgox.de


Domain holder:   Christian Schmitz
Address:   Dr August Blank Str 7
Postal code:   51373
City:   Leverkusen
Country:   DE
Administrative contact

The administrative contact (admin-c) is the natural person appointed by the domain holder to act as his/her authorized representative and who also has the duty towards DENIC of taking binding decisions in all matters concerning the domain mtgox.de.
Name:   Christian Schmitz
Address:   Dr August Blank Str 7
Postal code:   51373
City:   Leverkusen
Country:   DE
Technical contact

The technical contact (tech-c) supports the domain mtgox.de with respect to technical aspects.
Name:   Martin Hetzner
Organisation:   Hetzner Online AG
Address:   Stuttgarter Strasse 1
Postal code:   91710
City:   Gunzenhausen
Country:   DE
Phone:   +499831610061
Fax:   +499831610062
E-mail:   [email protected]
Zone administrator

The zone administrator (zone-c) supports the name servers of the domain mtgox.de.
Name:   Martin Hetzner
Organisation:   Hetzner Online AG
Address:   Stuttgarter Strasse 1
Postal code:   91710
City:   Gunzenhausen
Country:   DE
Phone:   +499831610061
Fax:   +499831610062
E-mail:   [email protected]
Technical data
Name server:   ns.second-ns.com
Name server:   ns1.your-server.de
Name server:   ns3.second-ns.de

 

legendary
Activity: 1274
Merit: 1004
Thanks for warning and yeah i have seen mtgox.de on google advertisement. Tongue
Looks like they are using adsense.

rme
hero member
Activity: 756
Merit: 504
Hi,
hxxp://mtgox.de and hxxp://mtgox.org are SCAM websites.
Do not download any EXE, they are virus.

The original URL is https://mtgox.com (remember HTTPS and .COM).

Proof of virus in .de and .org domains:
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

PLEASE DO NOT EXECUTE THIS VIRUSES


PLEASE REPORT THIS WEBSITE TO GOOGLE PHISING, THIS WAY IT WILL BE BLOCKED IN BROWSERS
1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en
2.- Write mtgox.org in the phising url field
3.- Write this in comments: "mtgox.org is a phising site of the real mtgox.com website".


1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en
2.- Write mtgox.de in the phising url field
3.- Write this in comments: "mtgox.de is a phising site of the real mtgox.com website".


UPDATES:
mtgox.de is now in the phising list (blocked by most browsers)
new phising domain hxxp://mtgox.net
new phising domain hxxp://mtgox.co.uk
Jump to: