Hackers Hijacked DNS Servers to Steal from MyEtherWallet Users ($150K Stolen)
Last night, MyEtherWallet users were being redirected to a server in Russia. While many noticed an unsigned SSL certificate, they proceeded to the malicious website without much thought. It now appears that everyone who clicked through this certificate during the two hours that the attack lasted has had their coins stolen.
MyEtherWallet users advised to switch from Google to Cloudflare DNS servers
The popular wallet interface apparently fell to a DNS hijacking attack that allowed hacker(s) to redirect users to a malicious version of the website and phish their private keys to steal their money. "It is our understanding that a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site," MyEtherWallet confirmed in a statement.
DNS hijacking or redirecting is a popular and well-known hacking technique that undermines the routing system, misleading users into visiting a malicious clone of the original website. "This is not due to a lack of security on the @myetherwallet platform," the firm said. "It is due to hackers finding vulnerabilities in public facing DNS servers."
The company added that it is currently in the process of verifying which servers were targeted to resolve this issue. In the meantime, users are advised to run a local copy of MEW. Since a majority of targeted users were using Google DNS servers, MyEtherWallet has advised users to move to Cloudflare DNS servers.
Affected users are likely those who have clicked the "ignore" button on an SSL warning that pops up when they visited a malicious version of the MEW website.
Inherent flaws in the internet routing system led to first of many expected large-scale attacks
The company in its statement has said that there is no issue with its own security protocols as hackers used the decades-old technique of the redirecting of DNS servers to phish users. Also referred to as route hijacking or IP hijacking, BGP hijacking is considered as a fundamental weakness in the internet routing system as it enables illegitimate takeover of groups of IP addresses by corrupting internet routing tables maintained using the Border Gateway Protocol (BGP).
In this case, too, hackers didn't have to break into MEW, as they attacked the infrastructure of the internet to intercept DNS requests for MEW, leading users to a malicious site hosted in Russia.
"Between 11am until 1pm UTC today, DNS traffic - the phone book of the internet, routing you to your favourite websites - was hijacked by an unknown actor," security expert Kevin Beaumont wrote. The attackers used BGP to reroute traffic to Amazon’s Route 53 service, the largest commercial cloud provider, using a man in the middle attack using a server at Equinix in Chicago, he explained. "From there, they served traffic for over two hours."
While security vulnerabilities in BGP and DNS are well known, Beaumont said this is probably the largest scale attack and "it underscores the fragility of internet security."
Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.
— Patryk Szczygłowski (@epatryk) April 24, 2018
Current estimates put the stolen funds at about 215 ETH (~$150,000). While this particular attack appears to have been contained, the criminals' account already has over $20 million, confirming they aren't new to this game.