Phishing emails for fake MyEtherWallet login page

Published: 2018-05-15
Last Updated: 2018-05-15 01:23:58 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

This past weekend, I ran across some phishing emails with links to a fake MyEtherWallet page, so I thought I'd share.


Shown above:  Info from the spreadsheet tracker (image 1 of 2).


Shown above:  Info from the spreadsheet tracker (image 2 of 2).

Details

These emails were easily to identify as phishing messages. The link from the email didn't match the message text.  My Thunderbird email client knew right away these messages were not legitimate. I ignored two warnings before getting to the fake MyEtherWallet page.


Shown above:  Screen shot from one of the emails.


Shown above:  Clicking on a link from one of the emails.

On Friday 2018-05-11, the fake MyEtherWallet page used unencrypted HTTP.  When I checked on Sunday 2018-05-13, the page used HTTPS.  All domains for these fake MyEtherWallet pages had qimiao777@126.com listed as a contact address in the registration info.

Read: Domain name - registered date - IP address hosting the fake MyEtherWallet page

  • myetherwalleta.org - registered 2018-05-10 - 69.197.131.202
  • myetherwallett.org - registered 2018-05-11 - 173.208.172.202
  • myetherwalleto.org - registered 2018-05-12 - 69.197.131.202


Shown above:  Screenshot from a fake MyEtherWallet page on Friday 2018-05-11.


Shown above:  Traffic to a fake MyEtherWallet page filtered in Wireshark.


Shown above:  Whois info from one of the fake MyEtherWallet domains.

Final words

Pcap and email samples for today's diary can be found here.

This type of phishing activity is nothing new, but it's the first time I've noticed one targeting a cryptocurrency site like MyEtherWallet.

Feel free to share stories from any interesting phishing emails you've seen in the comments section.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords:
0 comment(s)

Comments


Diary Archives