There's a brand new player in the phishing and cryptocurrency cyber threat landscapes, and chances are you're already familiar with its work. RiskIQ researchers have discovered a phishing automated transfer system (ATS) dubbed MEWKit, which targets users of the Ethereum exchange MyEtherWallet and is now proven to be complicit in the infamous April 24, 2018, hijack of Amazon DNS servers.
In their analysis of MEWKit, RiskIQ researchers found that when an unauthorized party rerouted a significant portion of traffic intended for Amazon Route 53, the DNS servers that ended up handling the traffic were operating MEWKit, and set up to resolve only to one site: myetherwallet[.]com. What sets this new hacker tool apart is that it exceeds the capabilities of a typical phishing kit by leveraging characteristics of ATS malware to access and steal victims' Ethereum funds directly from the exchange.
MEWKit consists of two parts: a phishing page mimicking the MyEtherWallet site and a server-side component that handles the wallets to which cyber attackers transfer stolen funds once a phishing attack succeeds. While typical phishing pages usually redirect to the legitimate version of the website so the victim can log in again, MEWKit simply abuses MyEtherWallet’s unique access to the Ethereum network to make the transactions in the background. Once a user logs in, MEWKit checks their wallet’s balance and requests a receiver address from the server side. It then leverages the standard MyEtherWallet functionality by setting the cyber attacker-owned wallet as the receiving address and transferring out the victim’s entire balance.
Unlike a bank, which adds additional layers of security to its customers' accounts, MyEtherWallet gives users direct access to the Ethereum network through their browser. This functionality, which puts fewer hurdles between cyber attackers and a payday, explains why MEWKit was purpose-built for MyEtherWallet—and how cryptocurrency at large can be particularly vulnerable to theft. This ability to combine the tactics of both traditional phishing attacks and the functionality of an ATS for a tailor-made way to clear the relatively low barriers of MyEtherWallet and demonstrates how cyber threat tactics are evolving target the unique vulnerabilities of cryptocurrency’s surrounding services and implementations.
Based on this amount of traffic captured in the Amazon DNS attack alone, the campaign operating MEWKit is likely highly lucrative and will continue to be in operation for the foreseeable future. The level of sophistication required to pull off this cyber attack—rerouting DNS traffic from a major service provider to a server running MEWKit—shows a new dedicated effort from threat actors to pursue cryptocurrency.
Our latest cyber threat report named "MEWKit: Cryptotheft’s Newest Weapon" offers a complete analysis of MEWKit, its past and current campaigns, and a list of indicators of compromise: https://www.riskiq.com/research/mewkit-cryptotheft-newest-weapon/