[MyEtherWallet Hacked] Couple of days ago, some MyEtherWallet (MEW) users were surprised to see a warning about an untrusted SSL Certificate when visiting the website. Unfortunately the alarm was not enough for some users to avoid logging in to their wallets.
The issue was first reported by user u/rotistain in a reddit post with the screenshot below of the untrusted SSL Certificate:
Rotistain double checked the site’s name and logged int after verifying it, only to see a 10 seconds counter that allowed enough time for the script to steal his tokens, sending them to this address: 0x1d50588c0aa11959a5c28831ce3dc5f1d3120d29
Looking at the transactions in that address, the hacker walked away with 215 Ethereum coins, ~ $147,000 in todays evaluation, from the above address alone. And when I followed the trail of transactions, I found that some addresses had millions of dollars of Ethereums in them, suggesting that this was not the hackers first rodeo.
MEW also put out an official statement on reddit, explaining how the attack took place.
How did this attack happen?
MEW site itself wasn’t compromised to carry out this attack, instead, the attacker compromised Google DNS servers (188.8.131.52) used by users to trick them into visiting a fake MEW site hosted on a Russian server instead of the genuine site.
And because Google’s DNS service is recursive, the bad listing probably came from a forged communication with Amazon’s “Route 53“.
Amazon Web Services representative said that the company’s services were not compromised: “Neither AWS nor Amazon Route 53 were hacked or compromised,” the statement reads. “An upstream Internet Service Provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered.”
To intercept valid requests, the attacker used BGP hijacking to spread false routing information on hacked BGP servers operated by an ISP, in this case, in the vicinity of an internet exchange in Chicago.
Lessons Learned from the Attack
If you see a “untrusted SSL Certificate” warning on one of your websites, do not log in.