Author

Topic: *WARNING* "Bitcoin.org/Bitcoin.com" Phishing Scam!!! Possibly originating here (Read 1728 times)

full member
Activity: 157
Merit: 500
legendary
Activity: 1050
Merit: 1000
sad to see such a domain being abused.
sr. member
Activity: 406
Merit: 250
I get e-mails all the time saying someone sent 8 btc to my wallet and asking me to download a file with the transaction attached. I of course delete the attachment and the e-mail. Occasionally I launch a profanity laced reply but only when the mood hits me.
legendary
Activity: 1582
Merit: 1064
Flag #4 - Payload file name included last four digits of my SSN.

This is what scares me. Phishing mails are no longer mass mailed in the hope that at least one in a million falls for it. They seem to be targeting specific individuals. We really have to be on our toes.
sr. member
Activity: 309
Merit: 250
*scammer-hackers

some of us "hackers" are the good guys  Wink

True I guess you have a point Wink
newbie
Activity: 27
Merit: 0
*scammer-hackers

some of us "hackers" are the good guys  Wink
sr. member
Activity: 309
Merit: 250
I hate hackers / scammers.. I wish we could stop them all TOGETHER
newbie
Activity: 27
Merit: 0
Just seeing this now...sorry guys...don't have a sandbox on the station I'm on...
full member
Activity: 196
Merit: 100
The cheddar breed jealousy
Very interesting.
Going to look into this as it is quite a problem if indeed what I think it is...
sr. member
Activity: 285
Merit: 250
Bitcoin.org maintainer
Note: Just got a reply from Mandrik @blockchain.info - so I guess they're aware of it now. Hopefully this will get fixed and spammers won't be able to send from this domain at the very least.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze?

Once you are done analyzing, would you mind posting your findings here?
It depends on if OP has not deleted this phishing email(which I presume he has) and whether the bytecode class files in the .jar are obfuscated.
sr. member
Activity: 392
Merit: 268
Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze?

Once you are done analyzing, would you mind posting your findings here?
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
Who can I contact about this?
Can you privately send me a link to this java malware for me to analyze?
sr. member
Activity: 285
Merit: 250
Bitcoin.org maintainer
Who can I contact about this?

Try contacting blockchain.info (I dunno what's the best way, I just tried sending them a msg on reddit).
newbie
Activity: 27
Merit: 0
Who can I contact about this?
sr. member
Activity: 285
Merit: 250
Bitcoin.org maintainer
In order to prevent such phishing scam from @bitcoin.com, blockchain.info would have to set clear DMARC, DKIM and SPF policies on their DNS:

https://dmarcian.com/dmarc-inspector/bitcoin.com
sr. member
Activity: 392
Merit: 268
Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ
Definitely looks like malware, possibly coin-stealing. I'm interested to see if anyone with a spare offline machine they're willing to get "dirty" would have any luck decompiling this with a Java decompiler. I've never seen Java that can actually act as a full-system rootkit, at least without JNI.

Hello

I recently received a (relatively) sophisticated phishing attack via email. The payload seems to be a java root kit.

The email sender was labelled "Bitcoin.org", but the actual email was "[email protected]". The subject read "The transaction has completed successfully."

Flag #1 - I have not made any Bitcoin transactions for over a week.

Flag #2 - "no-replay"

Flag #3 - Recently made email in question public on bitcointalk.org.

Flag #4 - Payload file name included last four digits of my SSN.

The message contents were as follows:

Online Payment Details https://www.bitcoin.org/Ref-XXXXXXXXXXXX (linked to http://[Suspicious link removed]/Bitcoin-transactionSSSS)

SSSS represents the last four digits of my SSN. This part concerns me the most, although linking of this email (my main public email) to my the last digits of SSN wouldn't be too difficult.

The transaction has completed successfully. The order number, for your customers reference is:Ref-XXXXXXXXXXXX-XXXXX.

Additional Payload info:


File: Bitcoin_transactionSSSS.jar

File type: Java JAR (226 Kb)

From: http://www.thedumps.ru

newbie
Activity: 27
Merit: 0
Hello

I recently received a (relatively) sophisticated phishing attack via email. The payload seems to be a java root kit.

The email sender was labelled "Bitcoin.org", but the actual email was "[email protected]". The subject read "The transaction has completed successfully."

Flag #1 - I have not made any Bitcoin transactions for over a week.

Flag #2 - "no-replay"

Flag #3 - Recently made email in question public on bitcointalk.org.

Flag #4 - Payload file name included last four digits of my SSN.

The message contents were as follows:

Online Payment Details https://www.bitcoin.org/Ref-XXXXXXXXXXXX (linked to http://[Suspicious link removed]/Bitcoin-transactionSSSS)

SSSS represents the last four digits of my SSN. This part concerns me the most, although linking of this email (my main public email) to my the last digits of SSN wouldn't be too difficult.

The transaction has completed successfully. The order number, for your customers reference is:Ref-XXXXXXXXXXXX-XXXXX.

Additional Payload info:


File: Bitcoin_transactionSSSS.jar

File type: Java JAR (226 Kb)

From: http://www.thedumps.ru
Jump to: