Posts Tagged:

Jun 13

MtGox Phishing Campaign Hits Bing, Yahoo!

An active phishing campaign targeting account holders at popular Bitcoin exchange has hijacked the top search results at Bing and, redirecting unwary clickers to, a look-alike domain and Web site that was registered on June 12, 2013, less than 24 hours ago.

Check out the video I recorded of this phish in action (turn down in the sound if you hated the Iron Man soundtrack):

Update, June 17, 3:07 p.m: Google’s Youtube team has inexplicably removed my video, calling it a violation of YouTube’s policy on the depiction of harmful activities. 8:09 p.m.: YouTube has restored the video.

Hover over the search links returned in after searching for “Mtgox” and you’ll see what appears to be a paid or perhaps sponsored search ad that lists a result for, although hovering over the link displays a long “” URL. The same is true when you currently search for “mtgox” on hovering over the returned link shows a address.

In the video above, entering any credentials at the fake “” site caused a site error, but when I tried it again a moment later, I was redirected to the real

Interestingly, it appears the phisher in this case simply copied and pasted the code from; as shown in the video, hovering over either the username or password field on produces the same warning present on — a message advising visitors to check for the green “extended validation” or EV browser certificate in the URL address bar.


This attack, while not particularly unusual, is a good reminder that relying on trusted bookmarks is among the safest ways to navigate to sites that hold your personal and financial information. Using a search engine to find these sites is better than direct navigation (in which a fat-fingered key can lead to a phishing site), but as this phish illustrates, it’s always a good idea to double check the URL in the address bar.

Hat tip to Twitter follower Ryan Mattinson.