RiskIQ Implicates Ethereum-Stealing Phishing ATS in Infamous Amazon Hijack
May 17, 2018
Threat Report Profiles the Lucrative Russian Operation Behind MEWKit
SAN FRANCISCO – May 17, 2018 – RiskIQ, the global leader in digital threat management, today released a report profiling a phishing automated transfer system (ATS) dubbed MEWKit, which targets users of the Ethereum exchange MyEtherWallet and is now proven to be complicit in the infamous April 24, 2018, hijack of Amazon DNS servers. The report, named “MEWKit: Cryptotheft’s Newest Weapon,” reveals how the newly discovered attack presents an entirely new threat to the cryptocurrency landscape, exceeding the capabilities of a typical phishing kit by leveraging characteristics of ATS malware to access and steal victims' Ethereum funds directly from the exchange.
Unlike a bank, which adds additional layers of security to its customers' accounts, MyEtherWallet gives users direct access to the Ethereum network through their browser. This functionality, which puts fewer hurdles between attackers and a payday, explains why MEWKit was purpose-built for MyEtherWallet—and how cryptocurrency at large can be particularly vulnerable to theft.
The research found that MEWKit consists of two parts: a phishing page mimicking the MyEtherWallet site and a server-side component that handles the wallets to which attackers transfer stolen funds once a phishing attack succeeds. While typical phishing pages usually redirect to the legitimate version of the website so the victim can log in again, MEWKit simply abuses MyEtherWallet’s unique access to the Ethereum network to make the transactions in the background. Once a user logs in, MEWKit checks their wallet’s balance and requests a receiver address from the server side. It then leverages the standard MyEtherWallet functionality by setting the attacker-owned wallet as the receiving address and transferring out the victim’s entire balance.
“This attack demonstrates how actors are changing their tactics to target the unique vulnerabilities of cryptocurrency’s surrounding services and implementations,” said Yonathan Klijnsma, Threat Researcher at RiskIQ. “MEWKit combines the tactics of both traditional phishing attacks and the functionality of an ATS for a tailor-made way to clear the relatively low barriers of MyEtherWallet.”
While analyzing MEWKit, RiskIQ researchers also discovered a link to the renowned attack on April 24th, when an unauthorized party rerouted a significant portion of traffic intended for Amazon Route 53. The DNS servers that ended up handling the traffic were operating MEWKit and were set up to resolve only to myetherwallet[.]com. The DNS server that responded with a new IP address for MyEtherWallet routed from Russia, which is likely the country from which the actors behind this attack operate.
The level of sophistication required to pull off this attack—rerouting DNS traffic from a major service provider to a server running MEWKit—shows a new dedicated effort from threat actors to pursue cryptocurrency. Based on this amount of traffic captured in the Amazon DNS attack alone, the campaign operating MEWKit is likely highly lucrative and will continue to be in operation for the foreseeable future.
For the full story of MEWKit, its past and current campaigns, and a complete list of indicators of compromise, download the 30-page report at: https://www.riskiq.com/research/mewkit-cryptotheft-newest-weapon/
RiskIQ is the leader in digital threat management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk and take action to protect the business, brand and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners and MassMutual Ventures.
© 2018 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners.