RiskIQ, the global leader in digital threat management, today released a report profiling a phishing automated transfer system (ATS) dubbed MEWKit, which targets users of the Ethereum exchange MyEtherWallet and is now proven to be complicit in the infamous April 24, 2018, hijack of Amazon DNS servers. The report, named “MEWKit: Cryptotheft’s Newest Weapon,” reveals how the newly discovered attack presents an entirely new threat to the cryptocurrency landscape, exceeding the capabilities of a typical phishing kit by leveraging characteristics of ATS malware to access and steal victims’ Ethereum funds directly from the exchange.
Unlike a bank, which adds additional layers of security to its customers’ accounts, MyEtherWallet gives users direct access to the Ethereum network through their browser. This functionality, which puts fewer hurdles between attackers and a payday, explains why MEWKit was purpose-built for MyEtherWallet—and how cryptocurrency at large can be particularly vulnerable to theft.
The research found that MEWKit consists of two parts: a phishing page mimicking the MyEtherWallet site and a server-side component that handles the wallets to which attackers transfer stolen funds once a phishing attack succeeds. While typical phishing pages usually redirect to the legitimate version of the website so the victim can log in again, MEWKit simply abuses MyEtherWallet’s unique access to the Ethereum network to make the transactions in the background. Once a user logs in, MEWKit checks their wallet’s balance and requests a receiver address from the server side. It then leverages the standard MyEtherWallet functionality by setting the attacker-owned wallet as the receiving address and transferring out the victim’s entire balance.
“This attack demonstrates how actors are changing their tactics to target the unique vulnerabilities of cryptocurrency’s surrounding services and implementations,” said Yonathan Klijnsma, Threat Researcher at RiskIQ. “MEWKit combines the tactics of both traditional phishing attacks and the functionality of an ATS for a tailor-made way to clear the relatively low barriers of MyEtherWallet.”
While analysing MEWKit, RiskIQ researchers also discovered a link to the renowned attack on April 24th, when an unauthorised party rerouted a significant portion of traffic intended for Amazon Route 53. The DNS servers that ended up handling the traffic were operating MEWKit and were set up to resolve only to myetherwallet[.]com. The DNS server that responded with a new IP address for MyEtherWallet routed from Russia, which is likely the country from which the actors behind this attack operate.
The level of sophistication required to pull off this attack—rerouting DNS traffic from a major service provider to a server running MEWKit—shows a new dedicated effort from threat actors to pursue cryptocurrency. Based on this amount of traffic captured in the Amazon DNS attack alone, the campaign operating MEWKit is likely highly lucrative and will continue to be in operation for the foreseeable future.
For the full story of MEWKit, its past and current campaigns, and a complete list of indicators of compromise, download the 30-page report at: https://www.riskiq.com/research/mewkit-cryptotheft-newest-weapon/