Interest in Bitcoin—the decentralized digital currency—is definitely growing. But as with anything established, it also sparks the interest of scammers. We have seen a few Trojans stealing Bitcoin wallets over the last few years. Also, Trojans installing Bitcoin miners are not that exotic anymore. A case from last week shows how far interest has grown on the criminal side. Reports have emerged about phishing websites impersonating Mt.Gox, the largest Bitcoin exchange site. Mt.Gox has already fought battles in the past—for example when it was on the receiving end of a distributed denial-of-service (DDoS) attack and also when US authorities temporarily seized part of their money.

Of course, as with the nature of phishing websites, the real site has nothing to do with the fake scam site. The scammers just used the same second-level domain (SLD) name, "mtgox", but with a different top-level domain (TLD)—for example, using .org, .net, .de, or .co.uk domains. The scam site tried to trick users into downloading and installing malware with the convincing MTGOX_Wallet.exe file name, which Symantec detects as Downloader.Ponik.



Figure 1. Phishing website uses alternate TLD



Figure 2. Phishing website



The phishing websites were even advertised using more than one major online advertising service, for example Microsoft’s advertisement network, in order to reach as many victims as possible. This resulted in the scam ad being displayed on many prominent websites.

The ad enticed users by stating "New Century Gold: BITCOIN Protect your money - Buy Bitcoin"—a clever turn-about since the ad links to a scam site that has everything else in mind except protecting your money.

The fact that the phishing site does not use the common Secure Sockets Layer (SSL) security protocol should have been a clear giveaway for any visitor. As with any financial service, regardless of the currency behind it, people should pay due diligence to ensure they are on a real website when entering information. In this case, the scammers left an additional clue inside the HTML of the phishing website for the curious type: they hide the original site's guidance to change passwords.



Figure 3. Phisher-altered HTML



Symantec recommends all Mt.Gox users change their passwords and verify accounts. Mt.Gox has started to intensify the verification process of its members, allowing deposits or withdrawals only from verified accounts. They appear to be doing as much as possible to comply with anti-money laundry laws in order avoid the same fate as Liberty Reserve, which was shut down by federal prosecutors in May. Despite Bitcoin being substantially different to Liberty Reserve due to its decentralized peer-to-peer structure, and hence much harder to shut down, it is still good business practice to do as much as possible to ensure secure service.

Symantec has recently launched cloud-based Symantec AdVantage to help prevent ads that lead to malware from ever reaching customers. Website owners that include advertising on their websites should also check out the anti-malvertisement guidelines recommended by the Online Trust Alliance (OTA). The OTA is a non-profit organization with the mission to enhance online trust while promoting innovation and the vitality of the Internet. Symantec is a founding member of the OTA.