Hackers steal over $150,000 in cryptocurrency with DNS scam
The scammers used DNS to reroute users to insecure websites.
MyEtherWallet (MEW) is one of the most popular online wallets for cryptocurrency. Now, it appears that the site was the subject of a DNS hack and some users lost their money. MEW wasn't directly hacked or compromised; instead, it looks as though DNS servers were targeted and users were redirected to phishing websites instead of visiting MEW.
The hack appears to have occurred between 11 AM and 1 PM UTC yesterday (7 AM to 9 AM ET), and the team at MEW noticed that the "majority of those affected were using Google DNS servers," as they noted in a tweet. Users likely were served an SSL warning and chose it ignore it.
MEW tweeted some tips to avoid phishing scams like this in the future. This is, of course, in addition to paying attention to SSL warnings and looking for a green bar SSL certificate to assure users that they have arrived at the intended website. The service also recommends switching from Google's DNS servers to Cloudflare.
⅘ Some advice for our users: run a local (offline) copy of MEW platform. Use hardware wallets to store your cryptocurrencies. IGNORE any tweets, Reddit posts, or ANY messages which claim to be giving away or reimbursing ETH on behalf of MEW.
— MyEtherWallet.com (@myetherwallet) April 24, 2018
Users lost a total of $152,000 (216 Ether) in this hack according to Coindesk, but TechCrunch reports that the actual total is probably higher: Somewhere in the range of $365,000. The trouble is, because the hack wasn't actually a security issue with MEW, it's hard to guard against this sort of thing.
Kevin Beaumont reports that it was actually Amazon's internet domain service, rather than Google's, that was targeted in the attack (update: please see below for a statement from an Amazon spokesperson on this issue). The hackers rerouted and served DNS traffic for over two hours. Right now, it appears as though MEW was the only target, but this attack serves to further highlight just how vulnerable the "phone book of the internet" really is.
Update: "Neither AWS nor Amazon Route 53 were hacked or compromised," an Amazon spokesperson told us in a statement. "An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer's domain to the malicious copy of that domain."
