MEWKit Phishing Campaign Targets Online Ethereum Wallets

Security researcher Yonathan Klijnsma found that a criminal group devised an “automated transfer system” (ATS) for a phishing campaign that specifically targets Ethereum wallets by mimicking the MyEtherWallet (MEW) website’s front end. The technique allows the actors to drain the wallet in seconds as the user continues with a seemingly routine exchange, and even stores their login credentials for subsequent fund collection.

Dubbed MEWKit, the phishing campaign imitates the front end of the open source project website MyEtherWallet to capture the user's details and steal credentials. Once the users start to decrypt their wallets, scripts are injected into the active sessions to hide bank transfers. From the back end, MEWKit allows the cybercriminals to monitor how much Ethereum has been collected. Since the criminals already have the victims' credentials, they can continuously remain hidden and steal additional funds from the victims’ accounts.

The MEW site’s simplicity and ease of access make it a preferred target among cryptocurrency criminals. It lacks the advanced security configurations compared to other bank and exchange platforms with layers of authentication, as demonstrated by the April 2018 man-in-the-middle attack wherein the cybercriminals rerouted traffic supposedly directed to Amazon Route 53. In this latest campaign, they also used Google Adwords to promote the fake website and appear on “myetherwallet” keyword searches. And though no specific group has been identified, the researchers reported that the actors have been operating for some time and that some of the IP addresses are based in Russia.

Security analysts are advising caution when opening URLs inserted into emails and ads on websites. Here are a few steps to protect yourself from phishing scams:

  • Pay attention to the URL before clicking on links. It would be better if you type the URL directly, or bookmark the correct page for easier navigation instead of clicking on links in email or social media
  • Enable multi-factor authentication (MFA) for your systems. While it is not foolproof, the additional layers of authentication can deter cybercriminals from accessing accounts

[Read: When phishing starts from the inside]


Trend Micro solutions can protect users and the enterprise from phishing scams with its InterScan™ Web Security Virtual Appliance, scanning and blocking online threats, spam and targeted email attacks from the gateway. Whether on-premise or in the cloud as a service, its superior protection, advanced threat detection and web protection enable you visibility and control on employee internet usage, real-time reporting, centralized management, and data loss prevention.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.