Popular Ethereum wallet interface MyEtherWallet (MEW) today suffered a domain name system (DNS) attack that sent users to the wrong servers, exposing their login credentials.
MEW users immediately began warning one another on Twitter and Reddit. They said when the users visit the wallet site, they will be unnecessarily redirected to a resource similar in design, but created by scammers. When entering a login and password, the site steals funds from user accounts.
Posting on Reddit, a user called "rotistain" states that a hacker gained access to his account and like everyone else caught up in the hack, he had all of his funds drained.
He further wrote: "Woke up today, Put my computer on, went on to myetherwallet and saw that myetherwallet had a invalid connection certificate in the corner. I thought this was odd. https://i.imgur.com/2x9d7bR.png . So I double checked the url address, tripple checked it, went on google, got the url . Used EAL to confirm it wasn't a phisihing site. And even though every part of my body told me not to try and log in, I did. As soon as I logged in, there was a countdown for about 10 seconds and A tx was made sending the available money I had on the wallet to another wallet " 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29 "
At least 215 ETH (worth around $150,000) was transferred to the hacker's wallet which was then moved to another address. The address has been labeled “Fake_Phishing899” and is accompanied by a warning on Etherscan that the account has been associated with phishing scams.
DNS hacks can allow an attacker to direct a site’s visitors to the wrong IPs. An attacker can collect login credentials for every user authenticating on the false portal.
The MyEtherWallet team wrote on Twitter that it was researching a DNS issue, but the exact scale of the problem is still not defined. They also confirmed the attack on Reddit and stated it would be several hours before service would be fully restored.
Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.
— MyEtherWallet.com (@myetherwallet) April 24, 2018
One Reddit post noted that with such an attack, funds are at risk, and that API requests and logins could have ended up being redirected to a server hosted by another party.
Cybersecurity expert Kevin Beaumont explained that MEW’s website was compromised on a DNS level due to a hijack of Amazon’s internet domain service used to reroute web traffic.
According to Beaumont, the hack occurred around 11:00 UTC and went unnoticed until 13:00 UTC. The the DNS information switched from Amazon’s Route 53 service, the largest commercial Cloud provider whose clients includes big names such as Twitter, to a cheap host provider in Russia, which served the website using a fake certificate.
Binance, one of the busiest cryptocurrency exchanges, tweeted that some users have been reporting issues with loading the site. The popular venue didn’t point to any cyber attacks and stated that the issue was due to Google DNS or Amazon Route 53 currently being down. Binance asked their users to switch to cloudflare DNS 1.1.1.1 or opendns 208.67.222.222 in the meantime.