June 13, 2013

An active phishing campaign targeting account holders at popular Bitcoin exchange MtGox.com has hijacked the top search results at Bing and Yahoo.com, redirecting unwary clickers to mtpox.com, a look-alike domain and Web site that was registered on June 12, 2013, less than 24 hours ago.

Check out the video I recorded of this phish in action (turn down in the sound if you hated the Iron Man soundtrack):

Update, June 17, 3:07 p.m: Google’s Youtube team has inexplicably removed my video, calling it a violation of YouTube’s policy on the depiction of harmful activities. 8:09 p.m.: YouTube has restored the video.

Hover over the search links returned in Yahoo.com after searching for “Mtgox” and you’ll see what appears to be a paid or perhaps sponsored search ad that lists a result for mtgox.com, although hovering over the link displays a long “yahoo.com” URL. The same is true when you currently search for “mtgox” on Bing.com: hovering over the returned link shows a bing.com address.

In the video above, entering any credentials at the fake “mtpox.com” site caused a site error, but when I tried it again a moment later, I was redirected to the real Mtgox.com.

Interestingly, it appears the phisher in this case simply copied and pasted the code from Mtgox.com; as shown in the video, hovering over either the username or password field on mtpox.com produces the same warning present on mtgox.com — a message advising visitors to check for the green “extended validation” or EV browser certificate in the URL address bar.

mtpoxphish

This attack, while not particularly unusual, is a good reminder that relying on trusted bookmarks is among the safest ways to navigate to sites that hold your personal and financial information. Using a search engine to find these sites is better than direct navigation (in which a fat-fingered key can lead to a phishing site), but as this phish illustrates, it’s always a good idea to double check the URL in the address bar.

Hat tip to Twitter follower Ryan Mattinson.


23 thoughts on “MtGox Phishing Campaign Hits Bing, Yahoo!

  1. Jesse Ruderman

    To make things worse, Bing is actively participating in the phish by showing “www.mtgox.com” in the ad. Bing should verify ownership of the “display URL” in ads when it doesn’t match the target.

    Also, they should audit any ads targeted at the names of financial sites.

    1. BrianKrebs Post author

      Yep. It also seems like the line between paid search and organic search results in bing and yahoo has been blurred more than ever. That’s too bad. Google seems to have the clearest demarcation between the two.

  2. Canuck

    Many browsers and antivirus applications have functions to also help identify phishing sites for all those fat-fingered surfers out there.

  3. uyjulian

    People should stop using MTCOCKS. It’s way too popular.

  4. JimV

    Instead of Bing or Google to search, I use DuckDuckGo and despite the odd name have found it does a pretty good job with much better security. Before that, I used a really good search engine named Clusty which could provide a clustered presentation of the results, but it was bought by someone with a conservative religious agenda and renamed Yippy with various embedded filters on the untrustworthy results, so I abandoned it in favor of DDG.

    1. saucymugwump

      “it does a pretty good job with much better security”

      I use DuckDuckGo for everything except IT work, for which I use Microsoft’s Bing. By the way, DuckDuckGo’s claim is better privacy, not security.

    2. Mike Lapsa

      Keep in mind DuckDuckGo tracks which links you click. (Ixquick doesn’t do this.) Combined with browser fingerprinting, and they don’t need tracking cookies.

      1. saucymugwump

        Do you have a cite for DuckDuckGo using browser fingerprinting? DuckDuckGo states that “we do not store IP addresses” at https://duckduckgo.com/privacy. They also state that they do not “store any personal information at all” which implies that they do not delve into browser fingerprinting.

        That said, Ixquick looks really interesting. DuckDuckGo mentions them as another private search engine.

        1. saucymugwump

          I forgot to include in my post that Ixquick looks interesting because, being a European company, Uncle Sam cannot easily force them to divulge customer data, unlike Google et al. FISA courts and NSA pressure are not relevant.

  5. N3wt

    Passive DNS records reveal that the IP address for mtpox.com also hosts the legit website (among others) for Huawei Scholarships, the legit philanthropy site from Chinese coms giant Huawei

    IP Address ASN BGP Netblock First Seen Host/Domain
    182.50.130.119 26496 182.50.128.0/19 2013-06-11 04:03:43 huaweischolarships.org
    182.50.130.119 26496 182.50.128.0/19 2013-06-11 19:18:45 abfanclub.com
    182.50.130.119 26496 182.50.128.0/19 2013-06-10 21:41:14 madridfe.com
    182.50.130.119 26496 182.50.128.0/19 2013-06-12 22:11:31 thebhairavigoswami.com
    182.50.130.119 26496 182.50.128.0/19 2013-06-11 22:31:11 no-smok.com
    182.50.130.119 26496 182.50.128.0/19 2013-06-10 11:24:27 badeal.com
    182.50.130.119 26496 182.50.128.0/19 2013-06-12 01:11:43 mobileappchap.com
    182.50.130.119 26496 182.50.128.0/19 2013-06-13 20:52:10 mtpox.com
    182.50.130.119 26496 182.50.128.0/19 2013-06-12 01:11:43 ayanvitality.com
    182.50.130.119 26496 182.50.128.0/19 2013-06-12 15:35:40 http://www.apexitool.net

  6. Toad

    A phishing scam aimed at users of a site best known for being able to purchase pirated software, child pornography, and prostitution. What is the world coming to? Is there no honor among thieves?
    (/Sarcasm Mode Off, in case you couldn’t tell it was on.)

  7. john "ozzy" senchak

    Damn and I thought that you where going to serve up some Black Sabbath with that video , Oh well

    What’s interesting is the “post html code ” for the
    site mtpox.com listed below

    Server: Microsoft-IIS/7.0
    182.50.130.119/
    119.130.50.182.in-addr.arpa IN PTR sg2nw8shg119.shr.prod.sin2.secureserver.net

    Then leads to this:

  8. Haggis

    have Yahoo and bing been made aware of this?

    EDIT: seems to be fixed now

  9. brendosthoughts

    hmmm… can’t way until siri returns phising reults through the bing search engine! microsoft gotta work on a thing or 2

  10. Stefan Misaras

    First of all, your email with this article came to me with a notification from gmail that “it may be a phishing email”, and I should be aware of that. That’s strange!

    Secondly, I just checked and both bing and yahoo rectified the problem, but it is serious to have the search results hijacked in this way!

    Thirdly… why didn’t google also have the same problem?

    1. brian krebs

      I’m guessing that because my email contained a URL that was a known phishing site, it was flagged as a possible phish.

      Both Chrome and Firefox fixed the problem first, by adding the site to their phishing filters, before Yahoo and Bing addressed the search issue. As of last night, IE still had not flagged the site as a phish.

      The reason google didn’t have this problem is they don’t seem to any longer allow sponsored or paid search results to blend in with organic searches at the top of the results. Also, it looks like this phish was (ab)using some kind of redirect on microsoft.com and yahoo.com domains to hide the true destination of the phishing URL when you hover over it.

  11. SeymourB

    I find memorizing the URLs of every site I routinely visit works better than relying on bookmarks or search engines. I can sit down in someone’s office for the first time and get to all the technical resources I need (provided they’re not having internet connection issues of course).

    Memory exercises like this help keep your recall abilities sharp, otherwise your memory gets all fuzzy and worthless.

  12. Dunbar Pappy

    A note worth remembering: Internet Explorer has a trick that permits a green address bar to show with a bit of manipulation, yet not be a true “Extended Validation” Certificate.

    (Steve Gibson, GRC https://www.grc.com/fingerprints.htm
    “…Microsoft deliberately allows EV indications to be forged…”

    Another reason not to use iE.

  13. program affiliate

    Never avoid writing a post when you think your
    readers won_t like it. You are a representative comes on the networks for affiliates.
    These networks give a way for you to make use of CPA while sporting a middle-man (the
    network) carrying it out for you.

Comments are closed.