SAN FRANCISCO, May 18 — A San Francisco-based cyber security firm Thursday revealed a report showing how hackers attacked an Amazon DNS server and stole users’ crypto currency last month.
RiskIQ, a global leader in digital threat management, profiled in the report a phishing automated transfer system (ATS) dubbed MEWKit, which targeted users of the crypto currency Ethereum exchange MyEtherWallet, and stole their virtual currency.
The report said the newly discovered attack presents an entirely new threat to the crypto currency landscape, which exceeded “the capabilities of a typical phishing kit by leveraging characteristics of ATS malware to access and steal victims’ Ethereum funds directly from the exchange.”
The attackers set up a phishing page mimicking the MyEtherWallet site and cheated users to log in, said the report.
MEWKit simply abused MyEtherWallet’s unique access to the Ethereum network to make the transactions in the background.
Once a user logs in, MEWKit checks their wallet’s balance and requests a receiver address from the server side, and then leverages the standard MyEtherWallet functionality by setting the attacker-owned wallet as the receiving address and transferring out the victim’s entire fund, said the report.
RiskIQ researchers discovered a link to the infamous attack on April 24, when hackers rerouted a significant portion of traffic intended for IP addresses operated by Amazon Web Services’ DNS service, known as Route 53.
Hackers made off with about 152,000 U.S. dollars worth of Ether in the attack that exploited weaknesses in DNS servers serving MyEtherWallet, earlier media reports said.
DNS is a service that connects domain names of a website to whatever IP address it’s hosted on.