Lost Bitcoins? Don't Click on This Malware Spam

Credit: ppart/ShutterstockCredit: ppart/Shutterstock

Have you lost money in the collapse of Bitcoin exchange Mt. Gox? Are you hoping to get some of it back? Then you're the perfect target for a new malware-distributing spam campaign.

"I've noticed a scam mail that is going around the Internet recently claiming that Mt. Gox has decided to return customers their bitcoins," posted Reddit user "strongleaf" yesterday (March 3). "It goes by, 'Have you lost your MTGOX Coins? Go watch our news to claim your Bitcoins back!'"

MORE: Mt. Gox Bankruptcy: What Bitcoin Owners Need to Know

The email message then displays a link to a page on the website "bitcoinbreaknews [dot] com." That page has since been removed, but the website is still up — its front page mimics the video-player index page of The Wall Street Journal website, complete with working videos.

However, the main video screen on the fake WSJ site is replaced by a pop-up window that asks you to "install Adobe Flash Player." You can bet your bottom bitcoin that it doesn't install the real Flash Player.

Screen grab by Tom's GuideScreen grab by Tom's Guide

"Clicking the Install button downloads a .rar file," a type of compressed archive, wrote Malwarebytes researcher Chris Boyd in a company blog post. (Real Adobe Flash Player installers are regular Windows ".exe" files.)

The original Reddit poster downloaded and opened the archive and saw three files being extracted: a fake version of Adobe Flash Installer, a license file and a README file.

Screen grab by Tom's GuideScreen grab by Tom's Guide

"After clicking onto the malicious Adobe_Flash_Installer.exe, the file will immediately disappear," wrote strongleaf.

"It is apparent that the malware has installed onto the virtual machine. However, no obvious indication can be seen from [Windows] Task Manager."

By using a packet sniffer, a software tool that analyzes Internet traffic, strongleaf saw that "the machine began to make connections to IP address and attempts to download multiple malwares from the IP.

"By listing the directory index, the IP appears to host multiple files namely, news.exe, test.exe, BTCChart.rar," strongleaf wrote.

Tom's Guide was able to confirm strongleaf's observations, although we didn't try to install the fake Adobe Flash Player.

Needless to say, if you receive this message, don't click on the link, and don't install that bogus software, no matter how many bitcoins you lost when Mt. Gox went belly-up last week.

"Sites offering a faint ray of hope in the form of 'Mt. Gox is going to fix it all and please install this file, thanks' could well add more misery to an already considerable pile," Boyd noted.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • spartanmk2
  • neieus
    I originally liked the idea of bitcoins but after watching graphic card prices skyrocket then something like this happened... I have never mined a bitcoin before and now I don't think I want too. It's bad enough our credit and debit cards can be hacked why add a new target?
  • DarkSable
    Seriously? Malware that you have to click on the news, decide that you want to read it enough to "install flash," learn how to unpack a .rar (if computers aren't your thing, which is true for the targets of malware and such), and THEN run a .exe.This seems like a ridiculous and ineffective way of spreading malware, especially since it applies only to those who lost bitcoin.