Jump to content

CAUTION! GateHub phishing email

Guest

By Guest,
in Gateways and Exchanges

 Share

Recommended Posts

  • Replies 33
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

T8493
T8493

Protection of personal data in the EU is quite complex. Too complex, if you ask me. Most companies don't do it right and even large FIs usually have a lot of issues related to protection of perso

GateHub
GateHub

Thank you for alerting us and the community of this phishing email. We have contacted the domain registrar (enom.com - Namecheap) and Namecheap Hosting to remove the phishing website ASAP. 

GateHub
GateHub

True, this is the only difference, perhaps a mistake? In the last attack, the emails were sent via privateemail.com, one of Namecheap's services. We have yet to examine the email headers of this attac

Guest

Guest

Posted
Posted

Strange, because this is a wallet I activated well over a year ago (March 01 2015 is what my recovery key file says) and haven't used; I don't even know what the public Ripple wallet address is. They must have gotten these addresses from the GateHub public search function?

Link to comment
Share on other sites
jn_r

jn_r

Posted
Posted

I didn't receive the e-mail, but 

1 hour ago, tomxcs said:

Strange, because this is a wallet I activated well over a year ago (March 01 2015 is what my recovery key file says) and haven't used; I don't even know what the public Ripple wallet address is. They must have gotten these addresses from the GateHub public search function?

I haven't received the email. Could it have been the migration proces from rippletrade to gatehub? I didn't use that..

Link to comment
Share on other sites
Guest

Guest

Posted
Posted
24 minutes ago, jn_r said:

I didn't receive the e-mail, but 

I haven't received the email. Could it have been the migration proces from rippletrade to gatehub? I didn't use that..

I didn't migrate any accounts from RT to GateHub either. I also have two GH wallets each connected to different email addresses, played around with each for a couple days and then basically abandoned them, and I only recieved the message at one address.

Link to comment
Share on other sites
jn_r

jn_r

Posted
Posted
Just now, tomxcs said:

I didn't migrate any accounts from RT to GateHub either. I also have two GH wallets each connected to different email addresses, played around with each for a couple days and then basically abandoned them, and I only recieved the message at one address.

Strange indeed. Maybe gatehub can analyse the potential source from using the specific list of emails that was used (stupid btw to put that list in the 'to' and not the 'bcc'. If you make a phishing mail, make it good -_-

Link to comment
Share on other sites
GateHub

GateHub

Posted
Posted (edited)
5 hours ago, tomxcs said:

Watch out everyone! I just received an email phishing for GateHub. The link sends you to "signin.gateshub.org"

gatehub_phishing.jpg

Thank you for alerting us and the community of this phishing email.

We have contacted the domain registrar (enom.com - Namecheap) and Namecheap Hosting to remove the phishing website ASAP. 

@tomxcs, can you please send us all the emails that were included as recipients and the original email headers to security@gatehub.net? It will greatly help us in the investigation.

The person behind this phishing attack is the same one as in July. There is a file on the phishing server called "gate.html", which was also present on the domain "gatehubs.net", which was used in July's phishing attack. The HTML code and techniques used are also identical.

GateHub Security

Edited by gatehub
Link to comment
Share on other sites
RDS

RDS

Posted
Posted
5 hours ago, tomxcs said:

Watch out everyone! I just received an email phishing for GateHub. The link sends you to "signin.gateshub.org"

gatehub_phishing.jpg

Its easier to find errors now but when we are on the go, we dont look at the details so much and click on the link. Thankyou very much for bringing this to attention. 

Link to comment
Share on other sites
T8493

T8493

Posted
Posted
1 minute ago, gatehub said:

The person behind this phishing attack is the same one as in July.

The person behind this phishing attack is the same one as in July. There is a file on the phishing server called "gate.html", which was also present on the domain "gatehubs.net", which was used in July's phishing attack. The HTML code is also identical.

 

Attacker included email addresses in the "To" field, but AFAIK the previous attacker included email addresses in the "Bcc" field before. Why would the same attacker be so careless next time?

Everyone can copy HTML code from one server to another and everyone can copy HTML code from GateHub pages.

 

 

Link to comment
Share on other sites
GateHub

GateHub

Posted
Posted (edited)
39 minutes ago, T8493 said:

 

Attacker included email addresses in the "To" field, but AFAIK the previous attacker included email addresses in the "Bcc" field before. Why would the same attacker be so careless next time?

Everyone can copy HTML code from one server to another and everyone can copy HTML code from GateHub pages.

 

 

True, this is the only difference, perhaps a mistake? In the last attack, the emails were sent via privateemail.com, one of Namecheap's services. We have yet to examine the email headers of this attack.

Both attacks used the same hosting, same registrar, same HTML code, and there is this file called "gate.html" on the server. Also, both attacks used the signin subdomain.

Everyone can copy HTML code, but the "gate.html" file was discovered by fuzzing the phishing server.

PS: We are also taking measures to limit the phishing website until Namecheap responds. It usually takes a couple of hours.

Edited by gatehub
Link to comment
Share on other sites
T8493

T8493

Posted
Posted (edited)
44 minutes ago, gatehub said:

@tomxcs, can you please send us all the emails that were included as recipients and the original email headers to security@gatehub.net? It will greatly help us in the investigation.

Just a warning: processing of these email addresses (EDIT) can be illegal in the EU.

You (@gatehub) don't necessarily have a prior consent of the owners of these emails. For example, if there are also emails of users that never used GateHub before, you simply can't process this information in any way - that includes examination and looking for patterns, storing, etc.

 

 

Edited by T8493
Link to comment
Share on other sites
GateHub

GateHub

Posted
Posted (edited)

@T8493 Here's another proof that the attacker is the same - https://www.diffchecker.com/OylAfXBX. Left is July's HTML code and right is today's attack. Note how the Google Captcha parameters are the same. The Captcha URL contains a "v=r20160718175036" parameter that looks like a timestamp of when the HTML code was pulled. We'll crosscheck this with our logs.

We're not going to process emails, we need a list of affected email addresses.

Edited by gatehub
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept