PhishLabs has detected a new phishing attack targeting users of the Mt. Gox bitcoin exchange:
While most phishing attacks used hacked legitimate web sites to host phishing pages, this particular attack is using a registered domain name of RAA.CN.COM.
CN.COM isn't a real top-level domain name, but CentralNic allows registrars to sell third-level domains within CN.COM. Interestingly, CentralNic also provides a WHOIS service for these domains. In this case, we can see that the domain name was registered on November 9th using a Chinese identity:
<span style="font-size: small;">Domain ID:CNIC-DO1605313 Domain Name:RAA.CN.COM Created On:2013-11-09T04:27:02.0Z Expiration Date:2014-11-09T23:59:59.0Z Status:TRANSFER PROHIBITED Status:ADD PERIOD Registrant ID:H4348057 Registrant Name:liu dehua Registrant Organization:liu dehua Registrant Street1:beijingshibeijingshibeijingshi Registrant City:beijing Registrant State/Province:Beijing Registrant Postal Code:100000 Registrant Country:CN Registrant Phone:+86.86.1083298850 Registrant FAX:+86.86.1083298850 Registrant Email:email@example.com Admin ID:H4348060 Admin Name:liu dehua Admin Organization:liu dehua Admin Street1:beijingshibeijingshibeijingshi Admin City:beijing Admin State/Province:Beijing Admin Postal Code:100000 Admin Country:CN Admin Phone:+86.86.1083298850 Admin FAX:+86.86.1083298850 Admin Email:firstname.lastname@example.org Tech ID:H4348063 Tech Name:liu dehua Tech Organization:liu dehua Tech Street1:beijingshibeijingshibeijingshi Tech City:beijing Tech State/Province:Beijing Tech Postal Code:100000 Tech Country:CN Tech Phone:+86.86.1083298850 Tech FAX:+86.86.1083298850 Tech Email:email@example.com Billing ID:H4348066 Billing Name:liu dehua Billing Organization:liu dehua Billing Street1:beijingshibeijingshibeijingshi Billing City:beijing Billing State/Province:Beijing Billing Postal Code:100000 Billing Country:CN Billing Phone:+86.86.1083298850 Billing FAX:+86.86.1083298850 Billing Email:firstname.lastname@example.org Sponsoring Registrar ID:H3245827 Sponsoring Registrar IANA ID:697 Sponsoring Registrar Organization:ERANET INTERNATIONAL LIMITED Sponsoring Registrar Street1:02 7/F TRANS ASIA CENTRE 18 KIN HONG STREET KWAI CHUNG N.T Sponsoring Registrar City:Hongkong Sponsoring Registrar State/Province: Sponsoring Registrar Postal Code:999077 Sponsoring Registrar Country:CN Sponsoring Registrar Phone:+852-35685366 Sponsoring Registrar FAX:+852-35637160 Sponsoring Registrar Website:www.tnet.hk Name Server:F1G1NS1.DNSPOD.NET Name Server:F1G1NS2.DNSPOD.NET DNSSEC:Unsigned</span>
Further analysis and mining of our spam collection reveals the URL that was sent out:
<span style="font-size: small;">http://www.whxbmy.com/images/</span>
When visited, this URL directs users to the phishing form page above. This appears to be a legitimate Chinese language web site. It could be compromised or the attackers could be affiliated with the site some how.
Bitcoin users should be wary of suspicious emails - as always!