On April 24, 2018 the prevalent Ethereum wallet MyEtherWallet endured a phishing attack on its Public DNS. An attack on the DNS (domain name system) took the wallet clients onto some unseemly servers that resulted in the leakage of their login credentials.
MyEtherWallet confirmed the hack in an official statement on Reddit.
“It is our understanding that a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site. This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system”
Hackers misused vulnerabilities in two fundamental internet protocols that route internet traffic around the globe, the Border Gateway Protocol (BGP) and the Domain Name System (DNS). Such attacks are common, but in this attack hackers influenced services from Amazon, Google, and major internet service providers in the process. Security specialist Kevin Beaumont called it the biggest assault of its kind he has seen. MyEtherWallet clients saw something fishy when they visited wallet’s site and got a warning saying it was utilizing an invalid security certificate. One client on Reddit revealed seeing the warning, yet continuing to sign in at any rate since the site address and everything else about the administration gave off an impression of being fine. In the wake of signing in, a 10-second clock showed up, checking down to the wallet’s assets being exchanged out to the hacker. “I have no idea what happened,” Reddit user Rotistain posted.
The traffic of MyEtherWallet.com, a cryptocurrency website was redirected to a server hosted in Russia by hackers. They used a fake certificate and also stole the cryptocoins. The following tweet from Oracle Internet Intelligence which monitors the performance of internet is showing the routes of traffic.
BGP hijack this morning affected Amazon DNS. eNet (AS10297) of Columbus, OH announced the following more-specifics of Amazon routes from 11:05 to 13:03 UTC today:
205.251.192.0/24
205.251.193.0/24
205.251.195.0/24
205.251.197.0/24
205.251.199.0/24
— InternetIntelligence (@InternetIntel) April 24, 2018
Within two hours, MyEtherWallet had issued a declaration recognizing that its clients had been diverted to a fake site (though mistakenly relegating fault to hijack of Google DNS rather than Amazon DNS):
Correction: the BGP hijack this morning was against AWS DNS not Google DNS. https://t.co/gp3VLbImpX
— InternetIntelligence (@InternetIntel) April 24, 2018
MEW has advised clients to run a local copy of MEW. Since a majority of targeted users were using Google DNS servers, it has advised users to move to Cloudflare DNS servers. It has also asked users to make sure there is a green bar SSL certificate that says “MyEtherWallet Inc” before using MEW.
Amazon AWS say:
This issue was caused by a problem with a third-party Internet provider. The issue has been resolved and the service is operating normally.
