Phishing for Bitcoins

By admin 5 years agoNo Comments
Home  /  Blog  /  Phishing for Bitcoins

PhishLabs has detected a new phishing attack targeting users of the Mt. Gox bitcoin exchange:

mtgox-phish

While most phishing attacks used hacked legitimate web sites to host phishing pages, this particular attack is using a registered domain name of RAA.CN.COM. CN.COM isn’t a real top-level domain name, but CentralNic allows registrars to sell third-level domains within CN.COM. Interestingly, CentralNic also provides a WHOIS service for these domains. In this case, we can see that the domain name was registered on November 9th using a Chinese identity:

Domain ID:CNIC-DO1605313
Domain Name:RAA.CN.COM
Created On:2013-11-09T04:27:02.0Z
Expiration Date:2014-11-09T23:59:59.0Z
Status:TRANSFER PROHIBITED
Status:ADD PERIOD
Registrant ID:H4348057
Registrant Name:liu dehua
Registrant Organization:liu dehua
Registrant Street1:beijingshibeijingshibeijingshi
Registrant City:beijing
Registrant State/Province:Beijing
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.86.1083298850
Registrant FAX:+86.86.1083298850
Registrant Email:[email protected]
Admin ID:H4348060
Admin Name:liu dehua
Admin Organization:liu dehua
Admin Street1:beijingshibeijingshibeijingshi
Admin City:beijing
Admin State/Province:Beijing
Admin Postal Code:100000
Admin Country:CN
Admin Phone:+86.86.1083298850
Admin FAX:+86.86.1083298850
Admin Email:[email protected]
Tech ID:H4348063
Tech Name:liu dehua
Tech Organization:liu dehua
Tech Street1:beijingshibeijingshibeijingshi
Tech City:beijing
Tech State/Province:Beijing
Tech Postal Code:100000
Tech Country:CN
Tech Phone:+86.86.1083298850
Tech FAX:+86.86.1083298850
Tech Email:[email protected]
Billing ID:H4348066
Billing Name:liu dehua
Billing Organization:liu dehua
Billing Street1:beijingshibeijingshibeijingshi
Billing City:beijing
Billing State/Province:Beijing
Billing Postal Code:100000
Billing Country:CN
Billing Phone:+86.86.1083298850
Billing FAX:+86.86.1083298850
Billing Email:[email protected]
Sponsoring Registrar ID:H3245827
Sponsoring Registrar IANA ID:697
Sponsoring Registrar Organization:ERANET INTERNATIONAL LIMITED
Sponsoring Registrar Street1:02 7/F TRANS ASIA CENTRE 18 KIN HONG STREET KWAI CHUNG N.T 
Sponsoring Registrar City:Hongkong
Sponsoring Registrar State/Province: 
Sponsoring Registrar Postal Code:999077 
Sponsoring Registrar Country:CN
Sponsoring Registrar Phone:+852-35685366
Sponsoring Registrar FAX:+852-35637160 
Sponsoring Registrar Website:www.tnet.hk
Name Server:F1G1NS1.DNSPOD.NET
Name Server:F1G1NS2.DNSPOD.NET
DNSSEC:Unsigned

Further analysis and mining of our spam collection reveals the URL that was sent out:

http://www.whxbmy.com/images/

When visited, this URL directs users to the phishing form page above. This appears to be a legitimate Chinese language web site. It could be compromised or the attackers could be affiliated with the site some how.

Bitcoin users should be wary of suspicious emails – as always!

Category:
  Blog

Leave a Reply

Your email address will not be published.

})(jQuery);