Last Updated: 2018-05-15 01:23:58 UTC
by Brad Duncan (Version: 1)
This past weekend, I ran across some phishing emails with links to a fake MyEtherWallet page, so I thought I'd share.
These emails were easily to identify as phishing messages. The link from the email didn't match the message text. My Thunderbird email client knew right away these messages were not legitimate. I ignored two warnings before getting to the fake MyEtherWallet page.
On Friday 2018-05-11, the fake MyEtherWallet page used unencrypted HTTP. When I checked on Sunday 2018-05-13, the page used HTTPS. All domains for these fake MyEtherWallet pages had firstname.lastname@example.org listed as a contact address in the registration info.
Read: Domain name - registered date - IP address hosting the fake MyEtherWallet page
- myetherwalleta.org - registered 2018-05-10 - 18.104.22.168
- myetherwallett.org - registered 2018-05-11 - 22.214.171.124
- myetherwalleto.org - registered 2018-05-12 - 126.96.36.199
Pcap and email samples for today's diary can be found here.
This type of phishing activity is nothing new, but it's the first time I've noticed one targeting a cryptocurrency site like MyEtherWallet.
Feel free to share stories from any interesting phishing emails you've seen in the comments section.
brad [at] malware-traffic-analysis.net