Ethereum wallet interface MyEtherWallet (MEW) recently saw its DNS redirect users to a phishing website. The redirections were traced to an IP address in St. Petersburg, Russia. Though the attack wasn't specifically targeting the cryptocurrency website, 215 Ether tokens (about $130,000) were stolen from Ethereum users.
Redditor Sounds The Alarm
A Redditor with the username u/MickySocaci notified the r/Ethereum community about the ordeal through a post titled “[WARNING] MyEtherWallet.com highjacked on Google Public DNS.”
The post warned MyEtherWallet users that they should to stay away from the service’s website as some DNS servers were resolving to another domain that would then steal their private keys. In a later update, the Redditor warned other users the problem was being fixed, and edited his thread. It reads:
“Google Public DNS is now resolving the correct IPs. Keep in mind the TTL of the old records was some 9000 seconds, we can expect some ISP’s to cache that for their clients.”
MyEtherWallet confirmed the event on Twitter and assured users that things were being taken care of.
Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.— MyEtherWallet.com (@myetherwallet) April 24, 2018
Though the MyEtherWallet platform doesn't store Ethereum wallet users’ private keys, it is still possible for cybercriminals to get them by redirecting users to a phishing website - a perfect replica of MyEtherWallet’s website – and getting them to enter their keys. Once users try to access their wallets, criminals get access to their funds
Internet Core Infrastructure Hit
The hackers didn’t specifically target MEW, but according to reports attacked the internet’s core infrastructure, and intercepted DNS requests for the wallet interface, to make sure their server appeared to be its rightful owner. Per The Verge, the hackers’ attack affected services provided by major internet companies like Google and Amazon. The publication wrote:
“Most of the affected users were employing Google’s 220.127.116.11 DNS service. However, because Google’s service is recursive, the bad listing was likely obtained through an forged communication with Amazon’s “Route 53” system.”
On Etherscan the stolen funds were traced and the address containing them wax tagged as “Fake_Phishing899”. They were subsequently sent to a wallet with $17 million worth of Ethereum in it, which presumably belongs to a cryptocurrency exchange.