Recent Posts

Recent Blog Posts

The PhishLabs Blog

Phishing for bitcoins

Posted by John LaCour on Nov 11, '13

PhishLabs has detected a new phishing attack targeting users of the Mt. Gox bitcoin exchange:

mtgox-phish

While most phishing attacks used hacked legitimate web sites to host phishing pages, this particular attack is using a registered domain name of RAA.CN.COM.

CN.COM isn't a real top-level domain name, but CentralNic allows registrars to sell third-level domains within CN.COM.    Interestingly, CentralNic also provides a WHOIS service for these domains.   In this case, we can see that the domain name was registered on November 9th using a Chinese identity:

<span style="font-size: small;">Domain ID:CNIC-DO1605313
Domain Name:RAA.CN.COM
Created On:2013-11-09T04:27:02.0Z
Expiration Date:2014-11-09T23:59:59.0Z
Status:TRANSFER PROHIBITED
Status:ADD PERIOD
Registrant ID:H4348057
Registrant Name:liu dehua
Registrant Organization:liu dehua
Registrant Street1:beijingshibeijingshibeijingshi
Registrant City:beijing
Registrant State/Province:Beijing
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.86.1083298850
Registrant FAX:+86.86.1083298850
Registrant Email:kof19871218@126.com
Admin ID:H4348060
Admin Name:liu dehua
Admin Organization:liu dehua
Admin Street1:beijingshibeijingshibeijingshi
Admin City:beijing
Admin State/Province:Beijing
Admin Postal Code:100000
Admin Country:CN
Admin Phone:+86.86.1083298850
Admin FAX:+86.86.1083298850
Admin Email:kof19871218@126.com
Tech ID:H4348063
Tech Name:liu dehua
Tech Organization:liu dehua
Tech Street1:beijingshibeijingshibeijingshi
Tech City:beijing
Tech State/Province:Beijing
Tech Postal Code:100000
Tech Country:CN
Tech Phone:+86.86.1083298850
Tech FAX:+86.86.1083298850
Tech Email:kof19871218@126.com
Billing ID:H4348066
Billing Name:liu dehua
Billing Organization:liu dehua
Billing Street1:beijingshibeijingshibeijingshi
Billing City:beijing
Billing State/Province:Beijing
Billing Postal Code:100000
Billing Country:CN
Billing Phone:+86.86.1083298850
Billing FAX:+86.86.1083298850
Billing Email:kof19871218@126.com
Sponsoring Registrar ID:H3245827
Sponsoring Registrar IANA ID:697
Sponsoring Registrar Organization:ERANET INTERNATIONAL LIMITED
Sponsoring Registrar Street1:02 7/F TRANS ASIA CENTRE 18 KIN HONG STREET KWAI CHUNG N.T
Sponsoring Registrar City:Hongkong
Sponsoring Registrar State/Province:
Sponsoring Registrar Postal Code:999077
Sponsoring Registrar Country:CN
Sponsoring Registrar Phone:+852-35685366
Sponsoring Registrar FAX:+852-35637160
Sponsoring Registrar Website:www.tnet.hk
Name Server:F1G1NS1.DNSPOD.NET
Name Server:F1G1NS2.DNSPOD.NET
DNSSEC:Unsigned</span>

Further analysis and mining of our spam collection reveals the URL that was sent out:

<span style="font-size: small;">http://www.whxbmy.com/images/</span>

When visited, this URL directs users to the phishing form page above.    This appears to be a legitimate Chinese language web site.    It could be compromised or the attackers could be affiliated with the site some how.

Bitcoin users should be wary of suspicious emails - as always!

Topics: Blog, Phishing

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all