Introduction

This past weekend, I ran across some phishing emails with links to a fake MyEtherWallet page, so I thought I'd share.



Shown above: Info from the spreadsheet tracker (image 1 of 2).



Shown above: Info from the spreadsheet tracker (image 2 of 2).

Details

These emails were easily to identify as phishing messages. The link from the email didn't match the message text. My Thunderbird email client knew right away these messages were not legitimate. I ignored two warnings before getting to the fake MyEtherWallet page.



Shown above: Screen shot from one of the emails.



Shown above: Clicking on a link from one of the emails.

On Friday 2018-05-11, the fake MyEtherWallet page used unencrypted HTTP. When I checked on Sunday 2018-05-13, the page used HTTPS. All domains for these fake MyEtherWallet pages had qimiao777@126.com listed as a contact address in the registration info.

Read: Domain name - registered date - IP address hosting the fake MyEtherWallet page

myetherwalleta.org - registered 2018-05-10 - 69.197.131.202

- registered 2018-05-10 - 69.197.131.202 myetherwallett.org - registered 2018-05-11 - 173.208.172.202

- registered 2018-05-11 - 173.208.172.202 myetherwalleto.org - registered 2018-05-12 - 69.197.131.202



Shown above: Screenshot from a fake MyEtherWallet page on Friday 2018-05-11.



Shown above: Traffic to a fake MyEtherWallet page filtered in Wireshark.



Shown above: Whois info from one of the fake MyEtherWallet domains.

Final words

Pcap and email samples for today's diary can be found here.

This type of phishing activity is nothing new, but it's the first time I've noticed one targeting a cryptocurrency site like MyEtherWallet.

Feel free to share stories from any interesting phishing emails you've seen in the comments section.

---

Brad Duncan

brad [at] malware-traffic-analysis.net