Meet MEWKit, a tricky phishing attack draining Ethereum wallets

Another day, another phishing attack trying to steal Ethereum cryptocurrency but this time there is a twist since the scam involves a completely different method.

Due to the sudden surge in Bitcoin price last year other cryptocurrencies like Ethereum and Monero have also gained value but then with fame comes haters and this time the IT security researchers at RiskIQ have discovered a new kind of phishing attack that directly steals Ethereum from users of MyEtherWallet – The haters are the malicious hackers behind this phishing attack.

Dubbed MEWKit by researchers [PDF]; the attack uses MyEtherWallet as bait and tricks Ethereum investors into signing in on the fake and cloned version of the website to steal their credentials. For those who are unaware of MyEtherWallet, it is a free, open-source, client-side interface for generating Ethereum wallets.

Once the victim signs in on the fake homepage of the site MEWKit activate “automated transfer system” (ATS) to process the details obtained by fake page and immediately transfer Ethereum from the victim’s wallet.

Meet MEWKit, a tricky phishing attacks draining Ethereum wallets

The attack further injects scripts into active web sessions and secretly executes bank transfers seconds after the victim signs into their cryptocurrency accounts on the infected device. This happens because once a user signs in, MEWKit checks their wallet’s balance and requests a receiver address from the command and control [C&C] server.

The attack takes advantage of the standard MyEtherWallet functionality by setting the wallet owned by attackers as the receiving address and transferring out the victim’s entire balance.

According to RiskIQ researchers, malicious hackers and cybercriminal community prefer targeting MyEtherWallet since it is one of the most used websites for Ethereum related business and secondly it has user-friendly functionality but low-level security.

“This attack demonstrates how actors are changing their tactics to target the unique vulnerabilities of cryptocurrency’s surrounding services and implementations,” said Yonathan Klijnsma, Threat Researcher at RiskIQ. “MEWKit combines the tactics of both traditional phishing attacks and the functionality of an ATS for a tailor-made way to clear the relatively low barriers of MyEtherWallet.”

As of now, RiskIQ researchers could not determine which cyber criminal group is behind the MEWKit attack however upon analyzing some of the IP addresses used in the campaign researchers suggest that it is being run from Russia “by a native Russian speaker who is familiar with financial terms.”

The cybersecurity giant is urging MyEtherWallet users to watch out for the ongoing attack and keep an eye on which URL they are about to visit. Additionally, bookmark the official website of MyEtherWallet on your browser and do not open or click links sent by unknown emails or social media profiles.

You can view RiskIQ’s full report here.

Image credit: Depositphotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.