Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
There’s a brand new player in the phishing and cryptocurrency cyber threat landscapes, and chances are you’re already familiar with its work. RiskIQ researchers have discovered a phishing automated transfer system (ATS) dubbed MEWKit, which targets users of the Ethereum exchange MyEtherWallet and is now proven to be complicit in the infamous April 24, 2018, hijack of Amazon DNS servers.
In their analysis of MEWKit, RiskIQ researchers found that when an unauthorized party rerouted a significant portion of traffic intended for Amazon Route 53, the DNS servers that ended up handling the traffic were operating MEWKit, and set up to resolve only to one site: myetherwallet[.]com. What sets this new hacker tool apart is that it exceeds the capabilities of a typical phishing kit by leveraging characteristics of ATS malware to access and steal victims’ Ethereum funds directly from the exchange.
MEWKit consists of two parts: a phishing page mimicking the MyEtherWallet site and a server-side component that handles the wallets to which cyber attackers transfer stolen funds once a phishing attack succeeds. While typical phishing pages usually redirect to the legitimate version of the website so the victim can log in again, MEWKit simply abuses MyEtherWallet’s unique access to the Ethereum network to make the transactions in the background. Once a user logs in, MEWKit checks their wallet’s balance and requests a receiver address from the server side. It then leverages the standard MyEtherWallet functionality by setting the cyber attacker-owned wallet as the receiving address and transferring out the victim’s entire balance.
Fig-1 The MEWKit page looks exactly like the normal MyEtherWallet website
Unlike a bank, which adds additional layers of security to its customers’ accounts, MyEtherWallet gives users direct access to the Ethereum network through their browser. This functionality, which puts fewer hurdles between cyber attackers and a payday, explains why MEWKit was purpose-built for MyEtherWallet—and how cryptocurrency at large can be particularly vulnerable to theft. This ability to combine the tactics of both traditional phishing attacks and the functionality of an ATS for a tailor-made way to clear the relatively low barriers of MyEtherWallet and demonstrates how cyber threat tactics are evolving target the unique vulnerabilities of cryptocurrency’s surrounding services and implementations.
Download the top-ten things you should know about MEWKit here.
Based on this amount of traffic captured in the Amazon DNS attack alone, the campaign operating MEWKit is likely highly lucrative and will continue to be in operation for the foreseeable future. The level of sophistication required to pull off this cyber attack—rerouting DNS traffic from a major service provider to a server running MEWKit—shows a new dedicated effort from threat actors to pursue cryptocurrency.
Our latest cyber threat report named “MEWKit: Cryptotheft’s Newest Weapon” offers a complete analysis of MEWKit, its past and current campaigns, and a list of indicators of compromise: https://www.riskiq.com/research/mewkit-cryptotheft-newest-weapon/
Magento Urges Users to Apply Security Update for RCE Bug - by @serghei
Via @Forbes, RiskIQ is the digital threat hunter using AI to define the future of #CyberSecurity #ThreatHunting #AttackSurfaceManagement https://t.co/cngRYJYWXe
Your attack surface today will not be your attack surface tomorrow. Securing your business now requires a new, adaptive approach. Here are the top 5 priorities for Attack Surface Management https://t.co/wZK5CotxQL
Your company's attack surface is continually evolving, and your security posture changes with it. In this blog post, find out why M&As mean acquiring not just a new company but also a whole new attack surface https://t.co/6u74UWoYDk
RiskIQ was named a Strong Performer in The @forrester Wave™: Vulnerability Risk Management, Q4 2019. Find out why https://t.co/eURschPuZc