A MESSAGE TO OUR COMMUNITY - a response to the DNS HACK of April 24th 2018
To all users of MEW,
When criminals attack our amazing community, we take it very seriously and have a personal interest in doing everything we can to prevent this from happening again.
The purpose of this post is to inform you of the steps we have taken since the Amazon DNS server attack that happened last month on the 24th of April, 2018.
Before we do that, we’d like to provide you with a brief explanation of how the breach happened:
MEW DNS Server Reroute
MEW’s (MyEtherWallet) site was the target of what is called a phishing automated transfer system (ATS), according to a comprehensive report by cyber threat intelligence firm, RiskIQ.
A Border Gateway Protocol (BGP) hijack attack was performed on the Amazon DNS servers to reroute people from the official MEW website to a host running a MEW phishing page.
This form of attack has been termed ‘MEWKit’ by RiskIQ threat researcher Yonathan Klijnsma.
It’s important to note that the BGP ‘glues’ the internet together. So it can be said that unidentified criminals essentially carried out a hack which infiltrated the very structure of the internet itself to steal crypto from users via a fake MEW page.
Klijnsma wrote that what took place was much more than a traditional phishing attack.
He explains that there are two parts to this attack:
- A phishing page mimicking the MyEtherWallet site.
- A server-side component that handles logging and the wallets to which attackers transfer stolen funds once a phishing attack succeeds. Meaning this breach abused MEW’s unique access to the Ethereum network via the victim's browser to make the transactions in the background.
“The level of sophistication required to pull off this attack—rerouting DNS traffic from a major service provider to a server running MEWKit—shows a new dedicated effort from threat actors to pursue cryptocurrency,” said Klijnsma.
During his research he also discovered evidence of experimentation in the form of comments written in Russian. Based on a translation of comments and language that was used, the report concluded that the attack was carried out by a native Russian speaker.
The attacker was able to phish $150,000 worth of Ether from MEW users.
It is truly unfortunate that this amazing blockchain space is contaminated with greed, but the reality is that whenever there is an opportunity to exploit people, criminals will seize it.
This redirecting of DNS servers is a decade-old hacking technique and can happen to any organization, including large banks.
Internet Security experts have said that this is one of the biggest DNS hacks in history, which does concerns us,
"seeing as how the technical and financial resources required for such an attack likely exceeds the amount of funds taken.”
Education is Key
It is part and parcel of cryptocurrency adoption that we all need to become self-reliant and informed users, otherwise these criminals will continue to succeed.
We are very grateful that many self-educated users were able to catch on and exercise caution during this attack, conscious of the SSL certificate warnings they received when trying to access our platform.
As a first necessary precaution, if there is no valid green SSL bar present on the site, then you can be certain that your connection to MEW is not secure.
This was such an advanced hack that even the most practiced cryptocurrency holders fell victim to this attack. BE EXTRA CAREFUL!
We hope that from this experience, every single person who interacts with cryptocurrencies and the blockchain will understand how important self-education is.
In the end, you and only you are responsible for your security. What makes decentralisation and blockchain technology so special is that you don’t have to rely on your bank, government or any third party. This is a tricky, precarious world, but you are empowered with total economic freedom.
Migration of MEW to Cloudflare
In effort to mitigate this from happening again, we have decided to migrate the MEW DNS to Cloudflare. The features of this migration include:
1. A secure registrar
Cloudflare’s registrar will protect MEW from domain hijacking with an on and off-line verification of any changes to our registrar account.
In more detail, the key features that the Cloudflare registrar provides is the Registry Lock and Registrar Lock.
The Registry Lock is a special flag in the registry (not your registrar) that prevents anybody from making changes to the MEW domain without communication with the registry.
In other words, no one can transfer the MEW domain or update its nameservers, unless our registrar authorises it with a verbal passphrase, then the registrar has to pick up the phone and call the global registry with their verbal passphrase to approve the change.
This strong verification protects against compromise of the registrar’s servers and from someone compromising the MEW account. This is the gold standard of domain security.
The Registrar Lock (not to be confused with Registry Lock) will prevent domain from unauthorized transfers. This will require the registrar to remove a special flag before transferring the domain to a different registrar.
2. HSTS (HTTP Strict Transport Security)
This will make sure the MEW website is only accessible through a valid SSL certificate. This will also prevent users from ignoring SSL errors and prevent them from accessing a fake version of the website.
3. HSTS Preloading (HSTSPreload)
HSTS Preloading is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their site is built into a browser.
This list is compiled by Google and is utilised by Chrome, Firefox and Safari.
MyEtherWallet.com is part of the preload list and already included in Chrome and Firefox. MEW will also be a part of all the other major browsers in their upcoming new releases.
HSTS Preloading removes any opportunity attackers may have to intercept and tamper with redirects that take place over HTTP.
3. CAA Record (Certificate Authority Authorization)
CAA record will let the browser know which SSL certificate providers are allowed to issue SSL certificates for the MyEtherWallet.com domain. This will prevent malicious users from using fake SSL certificates purchased through third party providers.
4. DNSSEC (Domain Name Systems Security Extensions)
DNS cache poisoning occurs when an attacker tricks a recursive DNS server into caching a fake record. In turn, this fake record is passed on to website visitors when they try to resolve your domain. This allows an attacker to hijack traffic to your website and direct visitors to a web server of their choosing.
To safeguard MEW from security issues in the DNS infrastructure, DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records, thus preventing any DNS cache poisoning attacks
4. CDN (Content Delivery Network)
Using Cloudflare's award-winning content delivery network we will be able to significantly reduce the load time of the MEW page for users.
5. Protection against DDoS (Distributed Denial of Service) Attacks
This feature will give added extra protection to our backend nodes from the growing threat of malicious and evil DDoS attacks.
Towards wider cryptocurrency adoption
Although we have taken these precautionary measures to try and safeguard MEW from any future attacks, we still strongly believe that our users need to learn as much as they can about SAFELY AND SECURELY buying, storing, sending and receiving ETH and any other crypto tokens.
Phishing attacks will never stop coming, so learning how to protect yourself and your funds is the only shot you have at stopping criminals from stealing from you.
Educating yourself is the best defence AND offence against scams and malicious sites.
We thank you for being part of our MEW community and we look forward to announcing many of the exciting new developments to MEW that we are working on in the coming weeks and months to come!
— MyEtherWallet #teamMEW