Recent Posts

Recent Blog Posts

The PhishLabs Blog

Phishing for bitcoins

Posted by John LaCour on Nov 11, '13

PhishLabs has detected a new phishing attack targeting users of the Mt. Gox bitcoin exchange:

mtgox-phish

While most phishing attacks used hacked legitimate web sites to host phishing pages, this particular attack is using a registered domain name of RAA.CN.COM.

CN.COM isn't a real top-level domain name, but CentralNic allows registrars to sell third-level domains within CN.COM.    Interestingly, CentralNic also provides a WHOIS service for these domains.   In this case, we can see that the domain name was registered on November 9th using a Chinese identity:

<span style="font-size: small;">Domain ID:CNIC-DO1605313
Domain Name:RAA.CN.COM
Created On:2013-11-09T04:27:02.0Z
Expiration Date:2014-11-09T23:59:59.0Z
Status:TRANSFER PROHIBITED
Status:ADD PERIOD
Registrant ID:H4348057
Registrant Name:liu dehua
Registrant Organization:liu dehua
Registrant Street1:beijingshibeijingshibeijingshi
Registrant City:beijing
Registrant State/Province:Beijing
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.86.1083298850
Registrant FAX:+86.86.1083298850
Registrant Email:kof19871218@126.com
Admin ID:H4348060
Admin Name:liu dehua
Admin Organization:liu dehua
Admin Street1:beijingshibeijingshibeijingshi
Admin City:beijing
Admin State/Province:Beijing
Admin Postal Code:100000
Admin Country:CN
Admin Phone:+86.86.1083298850
Admin FAX:+86.86.1083298850
Admin Email:kof19871218@126.com
Tech ID:H4348063
Tech Name:liu dehua
Tech Organization:liu dehua
Tech Street1:beijingshibeijingshibeijingshi
Tech City:beijing
Tech State/Province:Beijing
Tech Postal Code:100000
Tech Country:CN
Tech Phone:+86.86.1083298850
Tech FAX:+86.86.1083298850
Tech Email:kof19871218@126.com
Billing ID:H4348066
Billing Name:liu dehua
Billing Organization:liu dehua
Billing Street1:beijingshibeijingshibeijingshi
Billing City:beijing
Billing State/Province:Beijing
Billing Postal Code:100000
Billing Country:CN
Billing Phone:+86.86.1083298850
Billing FAX:+86.86.1083298850
Billing Email:kof19871218@126.com
Sponsoring Registrar ID:H3245827
Sponsoring Registrar IANA ID:697
Sponsoring Registrar Organization:ERANET INTERNATIONAL LIMITED
Sponsoring Registrar Street1:02 7/F TRANS ASIA CENTRE 18 KIN HONG STREET KWAI CHUNG N.T
Sponsoring Registrar City:Hongkong
Sponsoring Registrar State/Province:
Sponsoring Registrar Postal Code:999077
Sponsoring Registrar Country:CN
Sponsoring Registrar Phone:+852-35685366
Sponsoring Registrar FAX:+852-35637160
Sponsoring Registrar Website:www.tnet.hk
Name Server:F1G1NS1.DNSPOD.NET
Name Server:F1G1NS2.DNSPOD.NET
DNSSEC:Unsigned</span>

Further analysis and mining of our spam collection reveals the URL that was sent out:

<span style="font-size: small;">http://www.whxbmy.com/images/</span>

When visited, this URL directs users to the phishing form page above.    This appears to be a legitimate Chinese language web site.    It could be compromised or the attackers could be affiliated with the site some how.

Bitcoin users should be wary of suspicious emails - as always!

Topics: Blog, Phishing

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Posts by Topic

see all