It was confirmed on Tuesday that Naughty People redirected DNS lookups for myetherwallet.com to a moody website pretending to be the ether wallet developer’s site. The result? People signing in were actually logging on to a sketchy site and kindly giving the Naughty People all their details. Obviously the Naughty People would then nick all their coins.
Despite having to click through a warning message because the fake page wasn’t using HTTPS, the Naughty People managed to amass £17m worth of Ethereum.
How on earth did they pull that off? A good old BGP hijack, that’s how. The alt coin fans relied on Amazon’s Route 53 DNS service. Someone sent the Border Gateway Protocol messages to the core DNS routers to persuade them to chuck traffic aimed at some AWS DNS servers to a dodgy box in Americaland.
The fake box then pretended it was AWS and gave out the wrong IP addy for myetherwallet.com which sent people to the phishing site.
This isn’t a new scam. It’s been being run for decades. In this case, it seems the Naughty People used a pwned box sitting in an Equinix server in Chicago to re-route the traffic. The phishing box was sat in, yes you guessed it, Russia. Could have been a lot worse, they could have, technically, rerouted ALL the Route 53 traffic.
It’s claimed the attack is sorted now, but the coin devs are urging people to switch to Cloudflare DNS because they didn’t get messed up in the whole snafu. They also said to keep your wallets offline. (Just don’t chuck out the hard drive and have to look through a mountain of rubbish to try and find it).