Guest Posted August 24, 2016 Share Posted August 24, 2016 Watch out everyone! I just received an email phishing for GateHub. The link sends you to "signin.gateshub.org" Link to comment Share on other sites More sharing options...
tomb Posted August 24, 2016 Share Posted August 24, 2016 Good find!!!! Got the email. @enej this is a good phishing email. Anything you can do? Link to comment Share on other sites More sharing options...
rootvegetable Posted August 24, 2016 Share Posted August 24, 2016 (edited) hahaha "noreplay@gatehub.net" and actual email comes from "noreplay@gateshub.org" Edited August 24, 2016 by rootvegetable Link to comment Share on other sites More sharing options...
Guest Posted August 24, 2016 Share Posted August 24, 2016 Strange, because this is a wallet I activated well over a year ago (March 01 2015 is what my recovery key file says) and haven't used; I don't even know what the public Ripple wallet address is. They must have gotten these addresses from the GateHub public search function? Link to comment Share on other sites More sharing options...
tomb Posted August 24, 2016 Share Posted August 24, 2016 I copied all that were on the email and sent out a warning. I hope we don't have tragedies tomorrow... GateHub 1 Link to comment Share on other sites More sharing options...
jn_r Posted August 24, 2016 Share Posted August 24, 2016 I didn't receive the e-mail, but 1 hour ago, tomxcs said: Strange, because this is a wallet I activated well over a year ago (March 01 2015 is what my recovery key file says) and haven't used; I don't even know what the public Ripple wallet address is. They must have gotten these addresses from the GateHub public search function? I haven't received the email. Could it have been the migration proces from rippletrade to gatehub? I didn't use that.. Link to comment Share on other sites More sharing options...
Morty Posted August 24, 2016 Share Posted August 24, 2016 I didn't get the email either. Link to comment Share on other sites More sharing options...
Guest Posted August 24, 2016 Share Posted August 24, 2016 24 minutes ago, jn_r said: I didn't receive the e-mail, but I haven't received the email. Could it have been the migration proces from rippletrade to gatehub? I didn't use that.. I didn't migrate any accounts from RT to GateHub either. I also have two GH wallets each connected to different email addresses, played around with each for a couple days and then basically abandoned them, and I only recieved the message at one address. Link to comment Share on other sites More sharing options...
jn_r Posted August 24, 2016 Share Posted August 24, 2016 Just now, tomxcs said: I didn't migrate any accounts from RT to GateHub either. I also have two GH wallets each connected to different email addresses, played around with each for a couple days and then basically abandoned them, and I only recieved the message at one address. Strange indeed. Maybe gatehub can analyse the potential source from using the specific list of emails that was used (stupid btw to put that list in the 'to' and not the 'bcc'. If you make a phishing mail, make it good ) enej 1 Link to comment Share on other sites More sharing options...
GateHub Posted August 24, 2016 Share Posted August 24, 2016 (edited) 5 hours ago, tomxcs said: Watch out everyone! I just received an email phishing for GateHub. The link sends you to "signin.gateshub.org" Thank you for alerting us and the community of this phishing email. We have contacted the domain registrar (enom.com - Namecheap) and Namecheap Hosting to remove the phishing website ASAP. @tomxcs, can you please send us all the emails that were included as recipients and the original email headers to security@gatehub.net? It will greatly help us in the investigation. The person behind this phishing attack is the same one as in July. There is a file on the phishing server called "gate.html", which was also present on the domain "gatehubs.net", which was used in July's phishing attack. The HTML code and techniques used are also identical. GateHub Security Edited August 24, 2016 by gatehub rootvegetable, RDS and enej 3 Link to comment Share on other sites More sharing options...
RDS Posted August 24, 2016 Share Posted August 24, 2016 5 hours ago, tomxcs said: Watch out everyone! I just received an email phishing for GateHub. The link sends you to "signin.gateshub.org" Its easier to find errors now but when we are on the go, we dont look at the details so much and click on the link. Thankyou very much for bringing this to attention. Rchopra 1 Link to comment Share on other sites More sharing options...
T8493 Posted August 24, 2016 Share Posted August 24, 2016 1 minute ago, gatehub said: The person behind this phishing attack is the same one as in July. The person behind this phishing attack is the same one as in July. There is a file on the phishing server called "gate.html", which was also present on the domain "gatehubs.net", which was used in July's phishing attack. The HTML code is also identical. Attacker included email addresses in the "To" field, but AFAIK the previous attacker included email addresses in the "Bcc" field before. Why would the same attacker be so careless next time? Everyone can copy HTML code from one server to another and everyone can copy HTML code from GateHub pages. Link to comment Share on other sites More sharing options...
GateHub Posted August 24, 2016 Share Posted August 24, 2016 (edited) 39 minutes ago, T8493 said: Attacker included email addresses in the "To" field, but AFAIK the previous attacker included email addresses in the "Bcc" field before. Why would the same attacker be so careless next time? Everyone can copy HTML code from one server to another and everyone can copy HTML code from GateHub pages. True, this is the only difference, perhaps a mistake? In the last attack, the emails were sent via privateemail.com, one of Namecheap's services. We have yet to examine the email headers of this attack. Both attacks used the same hosting, same registrar, same HTML code, and there is this file called "gate.html" on the server. Also, both attacks used the signin subdomain. Everyone can copy HTML code, but the "gate.html" file was discovered by fuzzing the phishing server. PS: We are also taking measures to limit the phishing website until Namecheap responds. It usually takes a couple of hours. Edited August 24, 2016 by gatehub enej and Hodor 2 Link to comment Share on other sites More sharing options...
T8493 Posted August 24, 2016 Share Posted August 24, 2016 (edited) 44 minutes ago, gatehub said: @tomxcs, can you please send us all the emails that were included as recipients and the original email headers to security@gatehub.net? It will greatly help us in the investigation. Just a warning: processing of these email addresses (EDIT) can be illegal in the EU. You (@gatehub) don't necessarily have a prior consent of the owners of these emails. For example, if there are also emails of users that never used GateHub before, you simply can't process this information in any way - that includes examination and looking for patterns, storing, etc. Edited August 24, 2016 by T8493 Link to comment Share on other sites More sharing options...
GateHub Posted August 24, 2016 Share Posted August 24, 2016 (edited) @T8493 Here's another proof that the attacker is the same - https://www.diffchecker.com/OylAfXBX. Left is July's HTML code and right is today's attack. Note how the Google Captcha parameters are the same. The Captcha URL contains a "v=r20160718175036" parameter that looks like a timestamp of when the HTML code was pulled. We'll crosscheck this with our logs. We're not going to process emails, we need a list of affected email addresses. Edited August 24, 2016 by gatehub Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now