Popular Ethereum wallet provider MyEtherWallet was apparently hit with a regional DNS hijacking attack in the morning hours of April 24th. Not all MEW users were affected, though some were reportedly led to a bad server that appeared to originate from an IP address in St. Petersburg, Russia. It’s not a crypto-centric attack, as it could’ve happened to any site, but upwards of 215 ether were hijacked to the attacker’s address. Accordingly, they or those responsible have already started moving the stolen ETH.
Sounding the Alarm
Word quickly spread that something was amiss with MEW after redditor u/MickySocaci posted a thread on r/Ethereum entitled “[WARNING] MyEtherWallet.com highjacked on Google Public DNS.”
In it, the user warned to “not use myetherwallet.com if you’re using Google Public DNS (220.127.116.11 / 18.104.22.168) at this moment, it seems these DNS servers are resolving the domain to a bad server that CAN steal your keys!”
They also provided a picture of the invalid certificate warning they witnessed:
Later, the Redditor edited in:
“Google Public DNS is now resolving the correct ips. Keep in mind the ttl of the old records was some 9000 seconds, we can expect some ISP’s to cache that for their clients.”
In other words, those who rely on MEW — or any other similar crypto site for that matter — must remain vigilant and double, if not triple, check for valid, green SSL Connections at all times.
Also of note is that some witnessed the attacker’s or attackers’ IP address appearing to originate from St. Petersburg, Russia.
On Twitter, MyEtherWallet noted the attack was above their heads, as it were, and that they were working to verify servers as quickly as possible:
Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.
— MyEtherWallet | MEW (@myetherwallet) April 24, 2018
Tragically, the Damage Is Irreversible
This kind of DNS exploit can and do happen to mainstream websites, as u/polezo aptly highlighted in the warning thread:
“This type of attack is not unique to crypto. DNS hijacking has happened to banks as well. Even local versions of Google, Paypal and Microsoft have been hijacked before.”
The difference is that clients’ funds are oftentimes more rigorously guaranteed through these big providers. No such benefit exists in the still maturing Wild West of crypto, as insurance practices have yet to take off in the space.
As it stands, then, the attacker “hijacked” 215 ether to this wallet address, which Etherscan has since labeled Fake_Phishing899. They have started moving the funds to different addresses, with some ending up in this multi-million dollar wallet that’s been associated with several recent phishing incidents in the cryptoverse.
Sadly, the victims have no recourse in sight then — the episode is a painful reminder that blackhat hackers have an assortment of devastating techniques at their disposal, while everyday users are caught in the crossfire.
Hardware Wallets Highlighted
Many users began asking whether or not their funds would’ve been safe if they had used MEW in conjunction with their cryptocurrency hardware wallets, i.e. TREZOR or Ledger devices, which MyEtherWallet describes on its site as the “recommended way to access your wallet.”
Others, like u/yDN0QdO0K9CSDf, began pointing out that these devices would’ve identified the address misdirection ploy before a transaction confirmation:
“[I] believe the worst that can happen is they misdirect your payment to their own address, which would appear on your device for confirmation – so as long as you check that when sending – you’re fine.”
This MEW episode is yet another reminder of why users who have non-trivial amounts of cryptocurrency should consider taking all necessary security precautions.
Whatever happens from here, Bitsonline will keep you posted on this story as it continues to develop.
Do you always check for valid certificates when you visit crypto sites? Are you worried about further DNS hijacks? Let us know in the comments below.
Images via u/MickySocaci, PYMNTS