This cryptocurrency phishing attack uses new trick to drain wallets

Campaign uses automation to empty cryptocurrency wallets and produce lucrative returns.
Written by Danny Palmer, Senior Writer

A criminal group keen to take advantage of the potentially lucrative opportunities offered by the boom in cryptocurrency has developed a sophisticated new scheme to hijack Ethereum wallets and steal the contents in a first-of-its-kind attack.

Dubbed MEWKit by security researchers at security company RiskIQ who uncovered it, the phishing campaign mimics the front end of the MyEtherWallet website for the purpose of stealing credentials, while also deploying what the authors call an "automated transfer system" to process the details captured by the fake page and transfer funds.

The attack injects scripts into active web sessions and silently and invisibly executes bank transfers just seconds after the user logs into their cryptocurrency account.

Researchers note that MyEtherWallet is an appealing target for attackers because it is simple to use, but its lack of security compared to other banks and exchanges make it a prominent target for attack.

Once the user hits a MEWKit page, the phishing attack gets underway with credentials including logins and the private key of the wallet being logged by the attackers.

After that, the crooks look to drain accounts when the victim decrypts their wallet. The scam uses scripts which automatically create the fund transfer by pressing the buttons like a legitimate user would, all while the activity remains hidden -- it's the first time an attack has been seen to use this automated tactic.

See also What is phishing? How to protect yourself from scam emails and more

"This attack demonstrates how actors are changing their tactics to target the unique vulnerabilities of cryptocurrency's surrounding services and implementations," said Yonathan Klijsnma, threat researcher at RiskIQ.

"MEWKit combines the tactics of both traditional phishing attacks and the functionality of an [automated transfer service] for a tailor-made way to clear the relatively low barriers of MyEtherWallet."

The back end of MEWKit allows the attackers to monitor how much Ethereum has been collected, as well as keeping a record of private user keys and passwords which can potentially be used for further attacks.

Those behind MEWKit appear to have been active for some time and have carried out some sophisticated campaigns. Researchers say MewKit demonstrates a "new dedicated effort from threat actors to pursue cryptocurrency" and that the campaign is "highly lucrative and will continue to be in operation for the foreseeable future".

Researchers haven't been able to pin down the criminal group or groups behind the attacks, but the location of some of the IP addresses involved in the redirection of wallets suggests that the operation is "by a native Russian speaker who is familiar with financial terms".

In order to avoid falling for this form of attack, RiskIQ urges all MyEtherWallet users to use caution when using the platform.

"Please keep a very close eye on which URL you open, and, preferably, have a bookmarked page for MyEtherWallet or type the domain name yourself," warns the report, which also tells users not to use links claiming to be the service that have been sent via email or social media.


Editorial standards