What Happened?
Just yesterday(April 24th, 2018), the DNS of popular ETH wallet, MyEtherWallet(MEW) had been compromised. This had resulted in a single person redirecting all of the active online wallet’s public and private keys to them.
This hack had only affected those who attempted to send 1 or more transactions during the time of the DNS spoof via web browser, and ignored the warning of an invalid SSL.
Thankfully MEW had caught on early, due to complaints of users seeing their funds all sent to “0x1d50588c0aa11959a5c28831ce3dc5f1d3120d29“. Once enough complaints had been received, and the situation had been evaluated, the issue had been fixed resulting in a total of roughly $150,000 USD being stolen.
How?
MEW said in a statement that “a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site…”.
Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.
— MyEtherWallet.com (@myetherwallet) April 24, 2018
“This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”
A DNS is a simple server that’s not typically owned by the app/site owners. It’s what redirects the domain name to the server’s actual IP address… Every site has this in place, since “google.com” is a lot easier to remember than “172.217.14.174”.
Once a hijacker gets a hold of the DNS server, they could redirect the domain to their own server, and control all of the traffic.
DNS hijacking can occur with any site. For example, it had even occurred with Paypal, Google, and even Banks previously.
It’s important to ensure that you make sure you’re visiting the correct site, no-matter where you are on the internet. Always check the domain name twice, and ensure the SSL(if it has one) is functioning correctly.
MEW is currently under fire for not having any proper DNS security in place for their app that’s processing millions(or even billions) worth of USD a day.
Who Did It?
The name of the six fingered man has yet to be released, however some believe to have traced down all of the Ether transactions to a single Binance/Exchange address.
“Here is an entire trace of transactions of yesterday’s phishing scam, all the way to a Binance wallet:
Flagged MEW DNS Scam Wallet: https://etherscan.io/address/0x1d50588c0aa11959a5c28831ce3dc5f1d3120d29
Transaction 1: https://etherscan.io/tx/0x90743a5ef6cf5730fcdfd53e646e4b7c5fdcb49202c428fd1d4f365d1821f842
Transaction 2: https://etherscan.io/tx/0x864b1cd135e2174d33e2db2923586aeb668852fc9b007c9b306350674926b32c
Transaction 3: wallet with more than $15mil, which was involved in many scams in the past (indahash, fake telegram ico, etc.): https://etherscan.io/tx/0x8bccfc517e49674bd4eb419552ef0a4423affef73fdb3ceb436f730e465f50f4
Transaction 4: https://etherscan.io/tx/0x97e33145fbb6f4cb96d4a61bc39a7283897c7a856ba56ef6d3a0f5eaae15563f
Transaction 5: https://etherscan.io/tx/0x5f9dbce5fbee9e79ecb9d78315696e2e4caf6174c7903e47d05e0603002f237c
Transaction 6: https://etherscan.io/tx/0x97e33145fbb6f4cb96d4a61bc39a7283897c7a856ba56ef6d3a0f5eaae15563f
Transaction 7: Binance Wallet: https://etherscan.io/tx/0x3039c91c03af376a1586a1bef83d69951f6e59f2cf3d72c8fdd8e3ccaf8e2877
I’ve sent the same to Binance via a ticket. It’s now up to them to take action, freeze their account(s) and potentially identify/report the individual(s) …. or not”
The same user had later posted that they had recieved a response from the Binance support team, stating they are trying their best to provide assistance and that they are not 100% sure of the hackers identity.
It almost seems as if they know who did it, but don’t want to release the information…
These same addresses had also been involved with a few other known phishing scams. Whoever this guy is, he knows what he’s doing… And he’s getting rich.
In Conclusion
The MEW wallet DNS server had been attacked, and compromised. This resulted in over $150,000 USD worth of Ethereum being stolen from innocent victims.
There’s a reason why I’ve previously recommended avoiding online wallets… No matter which online wallet you use, you’re introducing a third party who you “trust” with all of your funds. The entire point of cryptocurrency, is to replace the trust system and hold your own assets. Why rely on a third party, when you don’t need to?
Use cold storage when possible, and be safe.
0 Comments