A large amount of phishing emails were recently sent out to Stellar Lumens holders today. The email was sent from email@example.com with Request to change Stellar wallet key as subject.
Interestingly, the email has valid DKIM headers for Stellar.org which means it could be a hack. The phishing webpage that asks for user’s secret key was hosted on sub-domain of stellar.org. In other words, the emails are coming from inside the domain and this is not really a phish because these are genuine emails from Stellar.org domain – the official website of Stellar Development Foundation.
I use unique email aliases for every service. The email arrived to the address that I used with Stellar.
— Juan Uicich (@juanuicich) November 29, 2020
Here is a screenshot of DKIM headers of email being sent which confirms that emails were infact sent from stellar.org
Also, on the webpage, if you click cancel request, you are taken to auth.stellarwallet.org which is definitely a phishing page.
Earlier, phishing emails were sent from a different domain that could be easily identifiable with some due diligence but this time, it is different. The emails look genuine and webpage is infact, hosted on Stellar.org portal.
I think stellar’s email server got hacked, the phishing page is hosted at https://t.co/vyhnHjvAEj. Maybe all these email addresses are accessible in the logs somewhere or in a “Sent” mbox.
— Lily Ballard (@LilyInTech) November 29, 2020
Many users have already fell for this and their funds are gone. The webpage asks user for their secret key that gives hacker full control of user’s funds.
I fell for this @StellarOrg – are the funds gone for good? I lost a lot.
— Callum Prentice (@callumprentice) November 29, 2020
A general rule of thumb – emails stating your crypto or email account has been hacked are phishing emails and shall be marked spam immediately.
Here are the contents of the email:
Sub: Request to change Stellar wallet key
A request to generate a new secret key for your Stellar wallet has been received.
For security reasons, this process may take upto 7 days to complete and will be processed automatically from now.
If you wish to cancel the request or if you did not initiate this action, it is possible that someone is trying to access your account without your permission. Please login to your account to cancel the request:
<authorize request> <cancel request>