BGP & DNS Attack Compromises MyEtherWallet (Clarity on the Issue)
BGP & DNS Attack Compromises MyEtherWallet
MyEtherWallet, one of the most popular digital wallets to store cryptocurrencies, was recently affected by a BGP & DNS attack. To make things clear, MyEtherWallet (MEW for short) was not hacked, nor were their DNS servers. What happened was attackers propagated malicious BGP routes throughout the internet. BGP, is a IP routing protocol that service providers use. This directs where your traffic goes, E.g. Google.com has its own IP address. DNS is only used to resolve domain names to the correct IP path and has no knowledge if the IP path has been changed by the BGP routes.
Reddit User OneSmallStepForLambo Gave a Great Summary for the Attack:
In this scenario, DNS was only a means of accomplishing the attack, not the reason for it. The attackers acquired access to very important systems that could change the BGP routes, which is something outside the control of Google, Amazon, and MyEtherWallet. These malicious routes contained incorrect directions for traffic destined to Amazon/Google’s DNS servers with the correct IP paths. This now re-routed traffic was pointed to a DNS server in control of the attacker which had the bad records, which redirected the user to another web server -- outside the control of all parties beside the attack. Once at this web server, users were directed to a copy of a malicious MEW web page which stole funds. Unknowingly, Google’s DNS server saw the malicious redirected site as valid, as the path which it took to look up the records was manipulated by the attackers. The attackers could have used a valid certificate on the fake site, but did not for some reason. Luckily for us, this was caught before anymore damage was done. Even the most cautious investors logging into MEW was fooled from this attack since it was so sophisticated.
For more information on BGP Hijacking and previous incidents (Even Paypal is not safe from this hack) see link.
What we know:
- MEW stated on Reddit and Twitter that Googles Name servers were hacked… MEW was not. By the nature of the attack, a completely different name server gave out the incorrect records.
- MyEtherWallet.com could not shut down their site during this attack as it would have no effect.
- The certificate warning that prompted should have been a clear warning to users. Never use a site that gives you a prompt that a site certificate is not valid. However, with that being said, the attackers could have used a valid one… So don’t assume a valid certificate means the site is safe in the future. Ultimately, a cold wallet solution is still at best to ensure your funds are secured. See our previous article about the different types of cryptocurrency wallets.
- You are not impacted by this if you have not used the site between 11:00 am to 1:00 pm UTC on April 23rd. (4:00 am to 6:00 am PST)
- You do not need to log into MEW to see if you lost funds. You can simply go to etherscan.io to check your balance simply by inputting your public address.
- If you used a cold wallet storage (Trezor or Ledger, etc.) you were not affected by the attack. The only possible issue with hardware wallets is redirection of funds that were sent during the time of attack. This happens if say you were copying and pasting an address to send funds to, when pasting, the hacker can change the address. Always triple check the address you just pasted to make sure it is correct!
- If you don’t have a hardware wallet, get a copy of MyEtherWallet from github (Or MyCrypto) and use it locally on a clean machine and/or use it with a full node.
- The fake site is believed to be in Russia and sending ether to the hacker’s wallet.
- Two addresses are reported to be in use by the hacker, which are now drained of their funds and sent to a Bittrex exchange account:
- 1. 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29
- 2. 0xf203a3b241decafd4bdebbb557070db337d0ad27
- The hacker has 15k ETH from similar attacks. This is definitely not their first time performing such attacks. Be wary of using your private keys to login into MEW.
Be safe out there!
Cheers,
The Blockchain Musketeers