MEWKit phishing campaign steals MyEtherWallet credentials to perform automated fund transfers

The cybercriminals who last April executed a man-in-the-middle attack on a Amazon DNS server to steal $152,000 in Ethereum cryptocurrency from pulled off their heist using a newly discovered phishing kit that includes an automated transfer system (ATS) malware component, researchers are reporting.

The term ATS typically refers to malware that injects scripts into financial website web sessions to silently transfer funds out of bank accounts just moments after their rightful owners log into the system. But in this case, the phishing kit puts a twist on this concept by using ATS to transfer users' crypto coins to attacker-controlled wallets after capturing victims' MyEtherWallet credentials as they're entered onto a fake front-end web page, RiskIQ has revealed in a new report filed today.

Moreover, MEWKit in some cases steals victims' wallet keys and exfiltrates them to the attacker's back end -- which means the thieves will continue to have the ability to steal additional funds if the attack goes unnoticed and no remedial action is taken.

“This attack demonstrates how actors are changing their tactics to target the unique vulnerabilities of cryptocurrency's surrounding services and implementations,” said Yonathan Klijnsma, RiskIQ threat researcher and report author, in a company press release. “MEWKit combines the tactics of both traditional phishing attacks and the functionality of an ATS for a tailor-made way to clear the relatively low barriers of MyEtherWallet.”

Researchers believe the phishing tool, dubbed MEWKit, has been active in its current form since the beginning of 2018 and is built specifically to victimize MyEtherWallet (MEW) users because their wallets can interact directly with the crypto service via internet browsers, without the need to first set up internal accounts that can present additional security challenges for cybercriminals.

According to RiskIQ, MEWKit consists of an unofficial MyEtherWallet build -- likely manually downloaded from a repository like GitHub -- plus two added malicious JavaScript files, sm.js and wallet.js. The first script enables the phishing kit's back-end configuration (including wallet addresses for the receipt of stolen funds and data logs), while the second contains the core ATS functionality and hooks into the source of MyEtherWallet.

By hooking seamlessly into the code, MEWKit can perform a number of key functions that help lay the foundation for unauthorized transfers, while simultaneously concealing the attack from victims. These include disabling the button that lets users view their wallet information and balance, ensuring the button that starts a transaction disables all other buttons so the user can't leave the transaction, and altering visuals on the MyEtherWallet page all in an effort to induce a malicious transaction.

Once the victim decrypts his or her wallet via MyEtherWallet, that's when the actual ATS functionality commences, with the brunt of it happening in automated fashion on the client's side.

First, the malware makes note of the user's method of authentication and starts the automated transfer code and at least in some examples sends the wallet's private key to the malicious back-end. Next it checks the balance of the wallet; if it is more than zero, it proceeds to transfer funds to the designated attacker wallet, by virtually pressing the MyEtherWallet command buttons that a legitimate user normally would click.

"This kind of functionality -- enabling the theft of Ethereum in an automated way—is not something we've seen before in a phishing kit," states Klijnsma in the report.

The most notable attack involving MEWKit so far was an Apr. 24 incident in which cybercriminals performed a border gateway protocol hijacking in order to reroute traffic intended for Amazon's Route 53 DNS service to a Russian server in Russia. This server then resolved user queries to a phishing website created via MEWKit.

"The activity leading up to the BGP hijacking Amazon Route 53 shows the persistence of this actor and the campaigns it drives," concludes Klijnsma, noting that at least one MEWKit instance was found to share infrastructure with a number of other cryptocurrency-themed phishing pages. "With close to a hundred domains set up in a period of a few months, the associated costs of carrying out its attacks point to MEWKit being exceptionally successful and, although simple in technical sophistication, efficient at stealing Ethereum."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.