Major DNS Spoofing Hack Affects Amazon Web Services
A major DNS spoofing, or “man in the middle,” attack has left the MyEtherWallet (MEW) service compromised.
The full extent of affected users remains to be seen, but it would appear that the domain service hi-jacking event took place between 11 AM and 1 PM UTC when an unknown actor commandeered Amazon’s Route 53 service, which provides commercial cloud services to huge accounts, including MEW. This means the attack was not MEW’s fault.
MEW has warned users about the issue and is investigating the matter. An official statement from MEW founder kvhnuke was posted on reddit:
“It is our understanding that a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site.
This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.
A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime.
Affected users are likely those who have clicked the “ignore” button on an SSL warning that pops up when they visited a malicious version of the MEW website.
We are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible.
A message to our MEW community:
Users, PLEASE ENSURE there is a green bar SSL certificate that says “MyEtherWallet Inc” before using MEW.
We advise users to run a local (offline) copy of the MEW (MyEtherwallet).
We urge users to use hardware wallets to store their cryptocurrencies.
In the meantime we urge users to ignore any tweets, reddit posts, or messages of any kind which claim to be giving away or reimbursing ETH on behalf of MEW.
Your security and privacy is ALWAYS our priority. We do not collect or own any user data.
We greatly appreciate your patience and understanding as we try to fight against this criminal phishing attack.
To keep up this fight against phishing, we need our amazing community to support”
Our Founder & CEO at MetaCert was back channeling MEW Founder via their Slack group so he could provide live updates to our own community — in real time.
Until the problem is fixed, we’re recommending users avoid the site. To protect against this type of attack we (MetaCert) have configured Domain Name System Security Extensions (DNSSEC), a protocol for securing DNS traffic.
In addition to MEW, the cryptocurrency exchange Binance also reported that some users were having issues related to the incident.
It’s a case where triple checking the URL wouldn’t have made a difference; due to the DNS hack, users who went to the site while it was compromised were unknowingly redirected to a phishing site mimicking MEW.
The people most deeply affected were likely users who input their private keys directly into the website; those who did may have lost the sum of their wallet balances by unwittingly turning their credentials over to scammers. For those who lost wallet balances during the incident, it’s unfortunately unlikely those balances will be restored.
Users who used cold storage wallets and double checked the recipient addresses on their hardware devices are in the clear.
If you have a website and your domain registrar is AWS Route 53, here’s a guide from AWS to protect you from DNS spoofing. However, if your domain registrar is not AWS Route53, you can’t configure DNSSEC on Route53.
Join our Telegram community to stay up to date on our blockchain project here.
Install Cryptonite to protect yourself from phishing scams before it’s too late.
