Breaking: MyEtherWallet Website DNS Poisoned by Hacker

MyEtherWallet’s DNS was compromised by a hacker who stole more than $150,000 in Ether from over a hundred different wallets in a sophisticated phishing attack.


by
Miguel Gomez,
2 hrs ago









×

.modalimagetarget:hover {opacity: 0.7;}

.modalImg {
display: none;
position: fixed;
z-index: 10000;
padding-top: 100px;
left: 0;
top: 0;
width: 100%;
height: 100%;
overflow: auto;
background-color: rgb(0,0,0);
background-color: rgba(0,0,0,0.9);
}

.modalImg .modal-content {
margin: auto;
display: block;
width: 80%;
max-width: 700px;
}

.modalImg .caption {
margin: auto;
display: block;
width: 80%;
max-width: 700px;
text-align: center;
color: #ccc;
padding: 10px 0;
height: 150px;
}

.modalImg .modal-content, .modalImg .caption {
-webkit-animation-name: zoom;
-webkit-animation-duration: 0.6s;
animation-name: zoom;
animation-duration: 0.6s;
}

@-webkit-keyframes zoom {
from {-webkit-transform:scale(0)}
to {-webkit-transform:scale(1)}
}

@keyframes zoom {
from {transform:scale(0)}
to {transform:scale(1)}
}

.modalImg .close {
position: absolute;
top: 15px;
right: 35px;
color: #f1f1f1;
font-size: 40px;
font-weight: bold;
transition: 0.3s;
}

.modalImg .close:hover,
.modalImg .close:focus {
color: #bbb;
text-decoration: none;
cursor: pointer;
}

@media only screen and (max-width: 700px){
.modalImg .modal-content {
width: 100%;
}
}

MyEtherWallet and its users just fell victim to a sophisticated attack that involved hijacking the website’s domain name service.

According to a post on Reddit, people using Google’s public DNS servers were getting the wrong IP address for the MEW website.Instead of going to the usual CloudFront content distribution network address, visitors were sent to a Russian IP address running a web server. When they navigated to the site, they were met with something that mimicked MEW, prompting them to provide their private keys for their wallets.

The hacker’s address was found, labeled “Fake_Phishing899” by Etherscan, a service that allows people to pull up addresses on the Ethereum blockchain and find information on their transactions.

A total of 180 transactions took place at the address, including a cash-out of 215 Ether (~$150,000) that eventually spread to several other addresses. It’s possible that all the money has been laundered through another cryptocurrency already.

Users on Reddit replying to the thread suggested using an offline version of the site or downloading MEW and Parity from Github to run a full node. Both of these measures, however, are preventative. There is no way for the current victims to reclaim their losses.

This advanced form of phishing caught more than a hundred people off guard, dwarfing events in the past involving the website. In another phishing attack in October of last year, hackers made off with $15,000 in Ether as a result of an email-based non-targeted phishing campaign within two hours.

But as far as the current attack is concerned, it could have easily been prevented by looking at the address bar for a green lock with “MyEtherWallet Inc (US)” on it. This would indicate that the site you’re visiting has an OV or EV certificate (which is virtually impossible to replicate) belonging to MyEtherWallet.

Although most websites just have the word “Secure” next to the green lock—which is indicative of a domain validation (DV) certificate—MyEtherWallet and other financial application developers take this a step further and get organizational (OV) or extended validation (EV) certificates, which prove that a vetted organization is currently in charge of the domain.