MyEtherWallet DNS Server HACKED 215 Ether Stolen In Phishing Attack!
MyEtherWallet, a widely-used client-side Ethereum web wallet interface, fell prey to a DNS server hijacking scheme.The attack occurred on Tuesday when a hacker hijacked MyEtherWallet’s domain name registration server and redirected MyEtherWallet.com visitors to a malicious copy of the website, which phished user’s private keys when they entered them into the system.
Over the course of the attack the wallet associated recived over 215 Ethereum curently worth $151,327. The funds where then shifted over to another wallet containing $17, 000, 000 or 24,100 ETH. The Tokens where sent to ETH address 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29 At 10:15, the attacker Then sent 215 ETH to 0x68ca85dbf8eba69fb70ecdb78e0895f7cd94da83.
A reddit user described how this unfolded right before their eyes
So I double checked the url address, triple checked it, went on google, got the url . Used EAL to confirm it wasn't a phishing site. And even though every part of my body told me not to try and log in, I did. As soon as I logged in, there was a countdown for about 10 seconds and A tx was made sending the available money I had on the wallet to another wallet, "0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29."
Myetherwallet tweeted that a “couple” of its DNS servers have been hacked and users risk being redirected to a phishing site this morning, April 24. MEW is now in the process of verifying which servers have been targeted and is working to resolve the hack “asap,” they added.
How Did This Happen?
''The attackers don’t seem to have compromised MyEtherWallet itself. Instead, they attacked the infrastructure of the internet, intercepting DNS requests for myetherwallet.com to make the Russian server seem like the rightful owner of the address. Most of the affected users were employing Google’s 18.104.22.168 DNS service. However, because Google’s service is recursive, the bad listing was likely obtained through Amazon’s “Route 53” system.
To intercept those requests, the hackers used a technique known as BGP hijacking, which spreads bad routing information as a way of intercepting traffic in transit. Typically, pulling off such a hijack requires hacking into the BGP servers operated by an ISP or other internet infrastructure provider. In this case, the hijack occurred in the vicinity of an internet exchange in Chicago, although the root of the compromise is still unknown.Thus far, MyEtherWallet is the only confirmed service to have been attacked, although a number of other services were likely also affected by the redirect.BGP hijacking has long been known as a fundamental weakness in the internet, which was designed to accept routing without verification. DNS attacks are also common, and they were used by the Syrian Electronic Army for a string of website defacements in 2013.Still, it’s highly unusual for both BGP and DNS vulnerabilities to be used in concert, particularly in such a high-profile theft. “This is the largest scale attack I have seen which combines both,” said researcher Kevin Beaumont in a post running down the attack, “and it underscores the fragility of internet security.” Stated by theverge.com
Statement From The Company
MEW said in a statement that “a couple of Domain Name System registration servers were hijacked around My 12PM UTC 24 April to redirect users to a phishing site.” Not all visitors to the site during the hijack were impacted, but MEW said that “a majority” of those who were had been using Google’s DNS.“We are currently in the process of verifying which servers were targeted to help resolve this issue as soon as possible,” the company added, confirming that it has since secured its website. The company recommends those who had used Google DNS to switch to Cloudflare’s.
“Users, PLEASE ENSURE there is a green bar SSL certificate that says “MyEtherWallet Inc” before making any transactions. We advise users to run a local (offline) copy of the MEW (MyEtherWallet). We urge users to use hardware wallets to store their cryptocurrencies,” it said in a Reddit statement.
When it comes to cryptocurrncies users need to understand that the internet has vulnerabilities and they will be exploited by attackers if found. One way tokeep yourself safe is by using a ledger to keep your coins safe along with desktop wallets and paper wallets.
What do you think of this attack? Please comment below!