Cryptocurrency service MyEtherWallet fell victim to a complex, man-in-the-middle attack this week that saw the theft of nearly $152,000 worth of Ethereum. For about two hours on Tuesday (24 April), users attempting to connect to the service were redirected to a phishing website where their login credentials were stolen and wallets emptied.
The hackers managed to pull off a Border Gateway Protocol (BGP) hijacking attack and reroute traffic intended for Amazon's Route 53 Service to a second server inside an Equinix data center in Chicago and then to a server in Russia that served up a fake website. The attacker managed to do this by hijacking “a couple” of Domain Name System registration servers.
Visitors were directed to a phishing website, disguised as the real MyEtherWallet.com, that used an untrusted TLS/SSL certificate. This means victims had to click through a HTTPS error message. However, many failed to take heed of the warning, clicked through and proceeded to log in as usual which led to their credentials being compromised.
"This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers," MyEtherWallet said in a statement on Reddit.
"Affected users are likely those who have clicked the "ignore" button on an SSL warning that pops up when they visited a malicious version of the MEW website. We are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible."
Amazon and Equinix stated that their servers were not compromised in the incident and reiterated that the attack was due to a malicious actor compromising an upstream Internet Service Provider (ISP) provider.
“Neither AWS nor Amazon Route 53 were hacked or compromised,” an AWS representative said in a statement. “An upstream Internet Service Provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered.”
So far, just MyEtherWallet is the only confirmed service to have been affected by the hijacking incident.
Experts say the stolen funds amounting to 216.06 ETH (nearly $152,000 as per current exchange rates_ ether are being shuffled around, broken into smaller increments and divided between multiple wallet addresses.
“Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access,” security researcher Kevin Beaumont wrote.
"The security vulnerabilities in BGP and DNS are well known, and have been attacked before," he added. "This is the largest scale attack I have seen which combines both, and it underscores the fragility of internet security. It also highlights how almost nobody noticed until the attack stopped. There is a blind spot."