MyEtherWallet users robbed after successful DNS hijacking attack

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

Unknown attackers have managed to steal approximately $150,000 in Ethereum from a number of MyEtherWallet (MEW) users, after having successfully redirected them to a phishing site posing as MyEtherWallet.com.

MyEtherWallet DNS hijacking

The redirection was seamless, and the only thing that gave some indication that the phishing site is not what it pretended to be was the warning showed to visitors saying that the TLS certificate used by the site was signed by an unknown authority (i.e., was self-signed).

Those who chose to ignore the warning, accept the certificate and proceed doing their business through the phishing site had their private keys stolen and their funds taken by the attackers.

How did it happen?

MyEtherWallet.com uses Amazon’s Route 53 DNS service.

“The attackers used BGP [Border Gateway Protocol] — a key protocol used for routing internet traffic around the world — to reroute traffic to Amazon’s Route 53 service,” researcher Kevin Beaumont explained.

“They re-routed DNS traffic using a man in the middle attack using a server at Equinix in Chicago. From there, they served traffic for over two hours. This would allow them to intercept traffic globally across the internet to Amazon Route 53 customers.”

It also allowed them to redirect traffic meant for MyEtherWallet.com to the lookalike phishing site, hosted on a server in Russia.

Cloudflare’s Louis Poinsignon has provided a more detailed explanation of the steps involved in the attack.

MyEtherWallet DNS hijacking

As far as we know, MyEtherWallet and its customers were the only targets in this attack.

“This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks,” MEW explained in the official statement published after the attack.

“This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”

Amazon made sure to point out that neither AWS nor Amazon Route 53 were hacked or compromised.

“An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain,” they explained.

The ISP in question is Ohio-based eNet.

Equinix also piped up to say that the server used for the attack was not one of theirs, but customer equipment deployed at one of their Chicago IBX data centers. “We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment. Our role is to provide the best environment possible for our customers to transform their business,” they noted.

Who’s behind the attack?

The attack against MEW netted the attackers just over $150,000 in Ethereum, but the amount of currency contained in the wallet to which the stolen funds were sent was around £20 million/$17 milion before the attack. As Beaumont noted, whoever they are they are not poor.

He also posited that there might have been other targets.

“Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access.”

What now?

Securing BGP might be a difficult proposition but, as Cloudflare systems engineer Patryk Szczygłowski noted, implementing DNSSEC and HSTS would have helped minimize the effectiveness of this type of attack:

Unfortunately, MyEtherWallet users who fell for this phishing scheme have no way of getting their funds back. MEW also warned them be on the lookout for possible subsequent scams

“We urge users to ignore any tweets, reddit posts, or messages of any kind which claim to be giving away or reimbursing ETH on behalf of MEW,” they said, and advised them to run a local (offline) copy of the MEW and to use hardware wallets to store their cryptocurrencies.