Hackers emptied MEW crypto wallet accounts with DNS attack

25 Apr 2018

Cryptocurrencies are a prime target for cyber-criminals. Image: Steve Heap/Shutterstock

The turbulent world of cryptocurrency has seen yet another cybercrime incident.

MyEtherWallet (MEW) is one of the most popular cryptocurrency wallets on the internet and, with the surge in cyberattacks related to digital currency, it has become the latest victim.

MEW said: “A couple of Domain Name System [DNS] registration servers were hijacked around 12pm UTC 24 April to redirect users to a phishing site.”

MEW said the majority of users affected were using Google’s recursive DNS and recommended they use Cloudflare’s service instead. Thieves redirected DNS look-ups for MEW’s website to a malicious phishing site, which looked very like the real thing. Unsuspecting users were not aware the site was bogus and handed over their credentials to criminals, who then rinsed their wallets of ether cryptocurrency.

The fake MEW site was using an untrusted TLS/SSL certificate, meaning victims had to click through a HTTPS error message.

MEW may not have been the sole target

According to CoinDesk, $150,000 (216 ether coins) in total was stolen, but other sources estimated the figure to be higher from examining fraud trackers.

Holding wallets are likely to have been used and a larger wallet containing ether was also located, with a balance running into the millions. While it is not confirmed that all the ether in this particular wallet is stolen, it does signify that attackers might be using other wallets to lead to the larger one.

The website warned users to check that the SSL of a site is secure before they give out any private information: “Users, PLEASE ENSURE there is a green bar SSL certificate that says ‘MyEtherWallet Inc’ before making any transactions. We advise users to run a local (offline) copy of the MEW (MyEtherWallet). We urge users to use hardware wallets to store their cryptocurrencies.”

This attack was made possible due to a flaw at the core of the internet’s infrastructure, both at DNS and Border Gateway Protocol (BGP) levels. Think of DNS as an address book that resolves domain names to their correct IP addresses, and BGP as the more complex system that directs traffic where it needs to go. In the early days of the internet, BGP was designed with implicit trust in terms of how the internet would be used, but this has sadly changed over time as the system remained the same.

Amazon responds

Traffic going towards Amazon Web Services’ Route 53 DNS infrastructure was rerouted to a Russian server controlled by the hackers, where the phishing site was hosted.

Amazon stated: “Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream internet service provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered.

“These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”

Security expert Kevin Beaumont said it was unlikely that MEW was the sole target of the attack, given the level of access the hackers had available. He said: “The security vulnerabilities in BGP and DNS are well known, and have been attacked before.

“This is the largest-scale attack I have seen which combines both, and it underscores the fragility of internet security.”

An Ohio-based internet provider known as eNet may have been hijacked to reroute traffic, The Register said, but this has not yet been confirmed.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects