Many people have been impacted by the downfall of Mt. Gox, the world’s largest Bitcoin exchange. Cybercriminals are counting on this to trick users into installing malicious software.
It all starts with a scam email that was first spotted by a Reddit user. The bogus notifications instruct recipients to click on a link in order to reclaim their Mt. Gox Bitcoins.
The emails purport to come from BitcoinBreakNews and they carry the subject line “MTGOX Return to customers the Bitcoins!”
“Have you lost your MTGOX Coins? go watch our news to claim your Bitcoins back! [link]” the emails read.
According to strongleaf, the Reddit user who received the scam email, those who click on the link are taken to a website that mimics the Wall Street Journal video portal.
In the middle of the screen, there’s an alert that instructs users to download and install Adobe Flash Player in order to watch the video.
The downloaded file is called InstallFlash.rar and it contains an executable, a text file and a license file. When the executable, Adobe_Flash_Installer.exe, is run, the file disappears and a piece of malware is installed on the computer.
strongleaf says there’s nothing in the task manager to indicate the presence of an infection.
“Nevertheless, through packet sniffer, the machine began to make connections to IP address 18.104.22.168 and attempts to download multiple malwares from the IP. By listing the directory index, the IP appears to host multiple files namely: news.exe, test.exe, BTCChart.rar,” he noted.
Christopher Boyd of Malwarebytes has also analyzed the attack. While the security company is still reviewing the malware that’s being distributed, Boyd makes an interesting point.
“The infection rate for this one may end up being quite low, as one would imagine that anybody versed in the art of Bitcoins is not likely to bother unzipping a .rar file to extract some random files,” he explained.
In the meantime, Mt. Gox has filed for bankruptcy. The company says someone has stolen around 750,000 of Bitcoins deposited by users and around 100,000 coins belonging to Mt. Gox. It’s believed the thieves exploited a bug to carry out the operation.
A group that claims to be on a mission to find out precisely what happened says it has hacked into Mt. Gox’s systems. They’ve leaked the personal details of some employees, an audio recording of a conversation between a Japanese banker and Mt. Gox CEO Mark Karpeles, and even some source code.