Hijacking Of Amazon DNS Servers Leads To MyEtherWallet Hack

MyEtherWallet, a popular online storage facility for Ether tokens, faced a DNS (Domain Name System) attack at 12PM UTC yesterday. The hijacking of MEW’s DNS servers caused visitors to be redirected to a phishing site set up by the hacker. By the time, things were restored to normalcy, the damage has been done. Users who logged into their accounts during the time of the attack saw their Ether wallets emptied. Although, the identify of hacker is unknown, a medium postingtraced the hack to a Russian IP address. The blog also revealed that attackers used BGP — a key protocol used for routing internet traffic around the world — to reroute traffic to Amazon’s Route 53 service, the largest commercial cloud provider who count major websites such as Twitter.com as customers.

A DNS attack is an exploit in which an attacker takes advantage of vulnerabilities in the domain name system (DNS). The MEW team officially acknowledged on Reddit that the breach happened because of hijacking of its DNS servers. To put it in simpler terms, the hackers broke the internet infrastructure.

The official statement says

“It is our understanding that a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site.”

Furthermore, MEW clarified that such kind of attacks can happen ‘to any organization including large banks.’ Those who were affected by the breach were using Google DNS servers. MEW had recommended users to switch to Cloudfare DNS servers. The tweet also accompanied a guide which recommends safe practices for protecting valuable digital assets from scammers.

Two wallets, which were used to funnel money from phished wallets, have been identified. While one of them had received 308 ETH as of yesterday, the other one had received 215 ETH. At the time of writing this article, both wallets has been emptied into a third wallet, which contains as much as 25,000 ETH worth ~$17,000,000. A look at the earliest transaction in the wallet reveals that it has been active for at least two months. So, not all the money that is left in that wallet has been stolen yesterday.

The MEW team later tweeted that hijacking of Amazon DNS servers affected MEW wallets.The hackers re-routed DNS traffic using a man in the middle attack using a server at Equinix in Chicago.

It is not the first time an Ethereum-based service was attacked via a DNS exploit. In December 2017, Etherdelta as hacked in a similar manner. Cybersecurity experts have explained that although DNS is quite robust, it was designed for usability, not security, and the types of DNS attacks in use today are numerous and quite complex, taking advantage of the communication back and forth between clients and servers.
MEW’s competitor used the opportunity to advertise themselves by confirming the DNS attack through a tweet. It can be remembered that a bitter fight between MEW founders led to the creation of MyCrypto.

Today’s issue once again highlights the risk involved in using hot wallets such as MEW. It is always advisable to use a hard wallet as it can protect cryptocurrency investors from many threats. Another alternative, which crypto investors could consider is paper wallets to store their valuable digital assets.