Bitcoin Forum
June 22, 2024, 04:11:20 PM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Myetherwallet Scam phishing Hacked Domain  (Read 106 times)
delbarbour (OP)
Newbie
*
Offline Offline

Activity: 72
Merit: 0


View Profile
February 15, 2018, 12:14:51 AM
Last edit: February 15, 2018, 10:14:39 PM by delbarbour
 #1

Guys found today a fake myetherwallet website steal address from phishing

Address of Hacker ethereum:

0xBDfaecb4eE0d1880e8d2Ae693b40EB00104D3077


Address of the fake website

https://xn--myethrwalle-jb9e19a.com/

it display DNS name as myetherwallet.com with dots on letter T to trick

Funny thing that it still got a Valid SSL certificate from Bitdefender
https://imgur.com/a/5LSuI
https://imgur.com/a/UqZQw

https://imgur.com/a/ofvUs


----------------------------------------------------------------------------------------------------------------------------------
Update:
---------

Sorry Guys but no one seemed to got my explanation of the Phishing Attack of MEW, Punycode Phishing Attacks  Undecided

this link explain it well, this exactly what happened and website still active today he got more 12000$ of more confiscated wallet  Angry

By default, many web browsers use ‘Punycode’ encoding to represent unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.

This loophole allowed the researcher to register a domain name xn--80ak6aa92e.com and bypass protection, which appears as “apple.com” by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.
Here, xn-- prefix is known as an ‘ASCII compatible encoding’ prefix, which indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters, and Because Zheng uses the Cyrillic "a" (U+0430) rather than the ASCII "a" (U+0041), the defence approach implemented by web browser fails.

Full Article  !!
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

PLEASE BE CAREFUL !! MEW link will show correctly in Chrome & also with Valid SSL !!

I will be working on new project to track the Funds on Blockchain ! and Score Wallets and Tag the coins Dispersed ..

i mean why we want blockchain Huh We know the stealer ID, we know his links with Exchanges wallets... we tracked the money stolen and we know exactly where it is !!
if we cannot do something about it or crime report.. is better to be back to FIAT ! :/  



anyhow i tracked his wallet to bittrex transfer and other stuff

Anyway we can report this to Bittrex ? legal authority ? at least to lock the fund and not let him cash easily



omitusaf
Full Member
***
Offline Offline

Activity: 280
Merit: 102


Revolutionising Marketing and Loyalty


View Profile
February 15, 2018, 12:20:05 AM
 #2

Sorry for this bad experience and tanks for letting us know. It would be best if we ensure we bookmark the authentic site to avoid situations of this sort in future.
Sorry once again.

delbarbour (OP)
Newbie
*
Offline Offline

Activity: 72
Merit: 0


View Profile
February 15, 2018, 12:21:49 AM
 #3

Guys found today a fake myetherwallet website steal address from phishing

Address of Hacker ethereum:

0xBDfaecb4eE0d1880e8d2Ae693b40EB00104D3077


Address of the fake website

https://xn--myethrwalle-jb9e19a.com/

it display DNS name as myetherwallet.com with dots on letter T to trick

Funny thing that it still got a Valid SSL certificate from Bitdefender
https://imgur.com/a/5LSuI

cert https://imgur.com/a/UqZQw

https://imgur.com/a/ofvUs






got stolen 2 ethers only for being clumsy although i checked the certificate but didnt have the chrome extension to validate domain

anyhow i tracked his wallet to bittrex transfer and other stuff

Anyway we can report this to Bittrex ? legal authority ? at least to lock the fund and not let him cash easily



I think that that fishing address doesn't look much like something  could mistakenly take for the real address of that web page. I think that it should be a very stupid hacker.

i updated the images links to better get a look, btw its very confusing the url is not what it shows on the site !!


mhine07
Full Member
***
Offline Offline

Activity: 560
Merit: 105



View Profile
February 15, 2018, 12:23:49 AM
 #4

The url itself is suspicious to click , the original url of myetherwallet is just myetherwallet.com and nothing words or letters is being added to that address. And when you go to the myetherwallet website their are cautions their that prompts that beware of phishing attempt. Those who have been hacked by that address is just a noob one.

delbarbour (OP)
Newbie
*
Offline Offline

Activity: 72
Merit: 0


View Profile
February 15, 2018, 12:38:10 AM
 #5

The url itself is suspicious to click , the original url of myetherwallet is just myetherwallet.com and nothing words or letters is being added to that address. And when you go to the myetherwallet website their are cautions their that prompts that beware of phishing attempt. Those who have been hacked by that address is just a noob one.

Man its not a noob question,
it start with email not categorized as SPAM from EOS

then you enter EOS clone website looking like this

https://imgur.com/a/7aPcl

after this just to participate u got forwarded to myetherwallet.com which looks fishy why ?! so spend some time checking the website certificate and domain etc..

that looks like this https://imgur.com/a/7Aild

http://<blockquote class="imgur-embed-pub" lang="en" data-id="a/7Aild"><a href="//imgur.com/7Aild"></a></blockquote><script async src="//s.imgur.com/min/embed.js" charset="utf-8"></script>

from here if you notice URL looks ok with Trusted SSL but small dots on the letter which mistakenly thought dirt on the screen

in facts these are special characters displayed like that when fetched in URL,  if u copy and past it shows as the shitty address i posted in the first comment
https://xn--myethrwalle-jb9e19a.com/#send-transaction instead of my etherwallet


generous
Hero Member
*****
Offline Offline

Activity: 938
Merit: 500


View Profile
February 15, 2018, 12:41:17 AM
 #6

The url itself is suspicious to click , the original url of myetherwallet is just myetherwallet.com and nothing words or letters is being added to that address. And when you go to the myetherwallet website their are cautions their that prompts that beware of phishing attempt. Those who have been hacked by that address is just a noob one.

Man its not a noob question,
it start with email not categorized as SPAM from EOS

then you enter EOS clone website looking like this

https://imgur.com/a/7aPcl

after this just to participate u got forwarded to myetherwallet.com which looks fishy why ?! so spend some time checking the website certificate and domain etc..

that looks like this https://imgur.com/a/7Aild



from here if you notice URL looks ok with Trusted SSL but small dots on the letter which mistakenly thought dirt on the screen

in facts these are special characters displayed like that when fetched in URL,  if u copy and past it shows as the shitty address i posted in the first comment
https://xn--myethrwalle-jb9e19a.com/#send-transaction instead of my etherwallet



you got phissing man, thats fake MEW
Better using google extension for check MEW phising site or using hardware wallet

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
slackcryptoz
Sr. Member
****
Offline Offline

Activity: 456
Merit: 250


View Profile
February 15, 2018, 12:48:20 AM
 #7

Not only with myetherwallet, but most of the wallet websites have got fake domains created by hackers. We need to be cautious to find the correct website, because it is a way through which the users entire fund can be transferred. People quite often reporting such incidents keep the user community aware about such fraudulent activities.
delbarbour (OP)
Newbie
*
Offline Offline

Activity: 72
Merit: 0


View Profile
February 15, 2018, 12:59:52 AM
 #8

guys i know it was phishing, No Doubt About it ! No Recovery for Ethers also

but nothing can be done about such cases ?!  Shocked

i mean i got his ETH Address, he also have registered account in Bittrex as he transfered funds from there 100 days ago, so he's verified email+mobile

got his file from namecheap.com registrar and contacted them for abuse

can link also activity to another wallet with over a Million $ ( although the one use for phishing one was just 10 ether balance)

any website or agency to track such case or report ?
stephiechoiii
Newbie
*
Offline Offline

Activity: 139
Merit: 0


View Profile
February 15, 2018, 01:27:54 AM
 #9

Lets be careful always, so that our account will be safe and far from phishing. The link of the real myetherwallet is just myetherwallet.com, so at first when you see the fake links and domain you will get curious easily and if you are really aware to the environment of myetherwallet.
Ali Akbar Torang
Full Member
***
Offline Offline

Activity: 381
Merit: 100



View Profile
February 15, 2018, 02:23:07 AM
 #10

Cryptocurrency Community should developing some method to anticipated preventively before anything like this happening day to day, it is disturbing me like scared me as many people felt as i do. after that community also should developing a method persuasively like cooperating with exchange or whatever cooperate can do a things persuasively to the community to anticipated such things, and community also can repressively do something like what should be accepted by the criminals.

delbarbour (OP)
Newbie
*
Offline Offline

Activity: 72
Merit: 0


View Profile
February 15, 2018, 09:55:06 PM
 #11

Sorry Guys but no one seemed to got my explanation of the Phishing Attack of MEW, Punycode Phishing Attacks  Undecided

this link explain it well, this exactly what happened and website still active today he got more 12000$ of more confiscated wallet  Angry

By default, many web browsers use ‘Punycode’ encoding to represent unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.

This loophole allowed the researcher to register a domain name xn--80ak6aa92e.com and bypass protection, which appears as “apple.com” by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.
Here, xn-- prefix is known as an ‘ASCII compatible encoding’ prefix, which indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters, and Because Zheng uses the Cyrillic "a" (U+0430) rather than the ASCII "a" (U+0041), the defence approach implemented by web browser fails.


Full Article  !!
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

PLEASE BE CAREFUL !! MEW link will show correctly in Chrome & also with Valid SSL !!

I will be working on new project to track the Funds on Blockchain ! and Score Wallets and Tag the coins Dispersed ..

i mean why we want blockchain Huh We know the stealer ID, we know his links with Exchanges wallets... we tracked the money stolen and we know exactly where it is !!
if we cannot do something about it or crime report.. is better to be back to FIAT ! :/  


delbarbour (OP)
Newbie
*
Offline Offline

Activity: 72
Merit: 0


View Profile
February 16, 2018, 01:49:41 PM
 #12

Manage to Track the wallet of the Owner of that phishing Site and Seems to Have multiple Sites in different Domains ...

The Root Fake Website  Wallet is  0xBDfaecb4eE0d1880e8d2Ae693b40EB00104D3077

Today he managed to Deposit to TIDEX exchange

Contacted their Support and waiting for Feedback

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!