Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
May 17, 2018
Threat Report Profiles the Lucrative Russian Operation Behind MEWKit
SAN FRANCISCO – May 17, 2018 – RiskIQ, the global leader in digital threat management, today released a report profiling a phishing automated transfer system (ATS) dubbed MEWKit, which targets users of the Ethereum exchange MyEtherWallet and is now proven to be complicit in the infamous April 24, 2018, hijack of Amazon DNS servers. The report, named “MEWKit: Cryptotheft’s Newest Weapon,” reveals how the newly discovered attack presents an entirely new threat to the cryptocurrency landscape, exceeding the capabilities of a typical phishing kit by leveraging characteristics of ATS malware to access and steal victims’ Ethereum funds directly from the exchange.
Unlike a bank, which adds additional layers of security to its customers’ accounts, MyEtherWallet gives users direct access to the Ethereum network through their browser. This functionality, which puts fewer hurdles between attackers and a payday, explains why MEWKit was purpose-built for MyEtherWallet—and how cryptocurrency at large can be particularly vulnerable to theft.
The research found that MEWKit consists of two parts: a phishing page mimicking the MyEtherWallet site and a server-side component that handles the wallets to which attackers transfer stolen funds once a phishing attack succeeds. While typical phishing pages usually redirect to the legitimate version of the website so the victim can log in again, MEWKit simply abuses MyEtherWallet’s unique access to the Ethereum network to make the transactions in the background. Once a user logs in, MEWKit checks their wallet’s balance and requests a receiver address from the server side. It then leverages the standard MyEtherWallet functionality by setting the attacker-owned wallet as the receiving address and transferring out the victim’s entire balance.
“This attack demonstrates how actors are changing their tactics to target the unique vulnerabilities of cryptocurrency’s surrounding services and implementations,” said Yonathan Klijnsma, Threat Researcher at RiskIQ. “MEWKit combines the tactics of both traditional phishing attacks and the functionality of an ATS for a tailor-made way to clear the relatively low barriers of MyEtherWallet.”
While analyzing MEWKit, RiskIQ researchers also discovered a link to the renowned attack on April 24th, when an unauthorized party rerouted a significant portion of traffic intended for Amazon Route 53. The DNS servers that ended up handling the traffic were operating MEWKit and were set up to resolve only to myetherwallet[.]com. The DNS server that responded with a new IP address for MyEtherWallet routed from Russia, which is likely the country from which the actors behind this attack operate.
The level of sophistication required to pull off this attack—rerouting DNS traffic from a major service provider to a server running MEWKit—shows a new dedicated effort from threat actors to pursue cryptocurrency. Based on this amount of traffic captured in the Amazon DNS attack alone, the campaign operating MEWKit is likely highly lucrative and will continue to be in operation for the foreseeable future.
For the full story of MEWKit, its past and current campaigns, and a complete list of indicators of compromise, download the 30-page report at: https://www.riskiq.com/research/mewkit-cryptotheft-newest-weapon/
RiskIQ is the leader in digital threat management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk and take action to protect the business, brand and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners and MassMutual Ventures.
Visit https://www.riskiq.com or follow us on Twitter. Try RiskIQ Community Edition for free by visiting https://www.riskiq.com/community/.
© 2018 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners.