Topic: Two new MtGox phising websites, always check for HTTPS (Read 1729 times)

No, I didn't download anything obv and I don't use IE. thx.
There was a banner of mtgox.de at the cryptocoincharts.info

This zip contains the two MTGOX viruses:
(CAUTION, VIRUS)http://xena.ww7.be/wsj/trojan.zip (CAUTION, VIRUS)

https://malwr.com/submission/status/MTEwZDcyNTM2ZTYzNGVmYTljNTMwMDBkOWU0MTVkNzU/
https://www.virustotal.com/es/file/d262bb2faf6d0bcd7064e0b51509dbbca7c8c90ac97d4e07fc97e527fa915833/analysis/1369856227/

Please upload it to https://malwr.com also and if possible zip it and send it to me for manual analysis.

If you dont use Internet explorer and you do not downloaded any .exe you are fine.

You can always run a virus check 

UPDATES:
mtgox.de is now in the phising list (blocked by most browsers)
new phising domain hxxp://mtgox.net
new phising domain hxxp://mtgox.co.uk

If you want to check it download this files (they are viruses):
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

If you do not execute them you are fine.
Your AV will notify that they are viruses.

In 4 minutes I will upload the virus to virstotal.

A few important things to understand:
- google fishing is not used by IE, Opera, Safari, etc.
- the whois information is faked, so don't bother reporting the guy, you don't know him.
- the green bar in the browser unfortunately doesn't mean much, as it's rather easy to get a EEV certificate for any domain for the "Mtgox Tibanne" name. The only thing of value is the domain name in your address bar.

Reported - thanks for the quick documentation to make this easy!

I will report this person to the german police its a fraud attempt.

Thanks!, I reported the sites just as you suggested
I dont even use mtgox

+1

What's to confirm?

The MtGox website says:


(The fact that they haven't edited that part out of the phishing site is a nice touch.)

If you submit the form, your username and password get sent to mtgox.de. That domain points to 74.86.83.82, which is a SoftLayer IP address.

Also report them here. https://www.badwarebusters.org/community/submit

Either way it's good to know. Thanks for the heads up OP.

Did Mtgox confirm it was a scam?
I don't think they did.

Actually i checked source code and it's suspicious for sure.

Real mtgox
http://pastie.org/7980108

mtgox.de
http://pastie.org/7980104

Well whois data of mtgox.de .net and .org is same.

and mtgox guys are acting dumb.  

https://twitter.com/c0k3in/statuses/339716874373849088


https://dazzlepod.com/ip/74.86.83.82/

who.is data of mtgox.de


Domain holder:   Christian Schmitz
Address:   Dr August Blank Str 7
Postal code:   51373
City:   Leverkusen
Country:   DE
Administrative contact

The administrative contact (admin-c) is the natural person appointed by the domain holder to act as his/her authorized representative and who also has the duty towards DENIC of taking binding decisions in all matters concerning the domain mtgox.de.
Name:   Christian Schmitz
Address:   Dr August Blank Str 7
Postal code:   51373
City:   Leverkusen
Country:   DE
Technical contact

The technical contact (tech-c) supports the domain mtgox.de with respect to technical aspects.
Name:   Martin Hetzner
Organisation:   Hetzner Online AG
Address:   Stuttgarter Strasse 1
Postal code:   91710
City:   Gunzenhausen
Country:   DE
Phone:   +499831610061
Fax:   +499831610062
E-mail:   [email protected]
Zone administrator

The zone administrator (zone-c) supports the name servers of the domain mtgox.de.
Name:   Martin Hetzner
Organisation:   Hetzner Online AG
Address:   Stuttgarter Strasse 1
Postal code:   91710
City:   Gunzenhausen
Country:   DE
Phone:   +499831610061
Fax:   +499831610062
E-mail:   [email protected]
Technical data
Name server:   ns.second-ns.com
Name server:   ns1.your-server.de
Name server:   ns3.second-ns.de

 

Thanks for warning and yeah i have seen mtgox.de on google advertisement.
Looks like they are using adsense.

Hi,
hxxp://mtgox.de and hxxp://mtgox.org are SCAM websites.
Do not download any EXE, they are virus.

The original URL is https://mtgox.com (remember HTTPS and .COM).

Proof of virus in .de and .org domains:
hxxp://mtgox.de/MTGOX_Wallet.exe
hxxp://mtgox.org/MTGOX_Wallet.exe

PLEASE DO NOT EXECUTE THIS VIRUSES


PLEASE REPORT THIS WEBSITE TO GOOGLE PHISING, THIS WAY IT WILL BE BLOCKED IN BROWSERS
1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en
2.- Write mtgox.org in the phising url field
3.- Write this in comments: "mtgox.org is a phising site of the real mtgox.com website".


1.- Go to https://www.google.com/safebrowsing/report_phish/?hl=en
2.- Write mtgox.de in the phising url field
3.- Write this in comments: "mtgox.de is a phising site of the real mtgox.com website".


UPDATES:
mtgox.de is now in the phising list (blocked by most browsers)
new phising domain hxxp://mtgox.net
new phising domain hxxp://mtgox.co.uk