MyEtherWallet’s DNS Server Hacked
MyEtherWallet’s DNS servers were hacked last night. MyEtherWallet is an online app for storing as well as sending Ether as well as Ethereum-based cryptocurrencies. About $152,000 worth of cryptocurrency (about 250 Ether) were stolen from one of the wallet’s DNS servers. The concern at this point is that figure could go up if the hackers are able to access more accounts.
How Did It Happen?
MyEtherWallet tweeted a warning at about 7.29am ETD, within 15 minutes of them finding out what was happening. The tweet informed users that a couple of DNS servers were being hacked. They also said that this hack was not happening on the MyEtherWallet side and that they were in the process of figuring out which servers had been impacted so that they could fix the issue as soon as possible.
It seems hackers took control of DNS servers, after which they were redirecting users trying to log onto MyEtherWallet to a phishing site where their accounts’ keys were stolen. The hack had been going on for two hours before it was noticed.
MyEtherWallet CEO Kosala Hemachandra stated that apparently, the hack had been large enough to manage a “DNS poisoning attack” on Google’s public DNS servers. He assured users that Google had managed to fix the issue in a short period of time. Google, however, was not available for comment.
Data from Etherscan, a Blockchain information provider, shows that the affected funds have been moved around and broken into small pieces.
Security Flaws in DNS Servers
The good news is that the hackers did not seem to have compromised MyEtherWallet itself. They actually attacked the internet’s infrastructure and intercepted requests for the wallet and diverted them to a Russian server. Most of the affected users were those who were using Google’s 126.96.36.199 DNS Server.
This hack was accomplished using a technique named BGP hacking. This type of hacking spreads bad routing information to intercept traffic that is in transit. This requires the hackers to break into the BGP servers that are operated by an internet service provider (ISP) or any other internet infra provider. While the root of the compromise is still unknown, it has been ascertained that the hack took place somewhere near an internet exchange in Chicago.
This is not the first time hackers have taken advantage of the weakness in BGP servers. BGP is known as the internet’s fundamental weakness, since it accepts routing without verification. DNS server attacks are also common. However, both BGP and DNS weaknesses being exploited at once is not common at all. According to researcher Kevin Beaumont, this has been the largest attack which combines both and it highlights the inherent fragility of the internet’s security.