MyEtherWallet Is The Fresh Victim of DNS Server Hijacking, $150K Stolen

Popular web app - MyEtherWallet - used for storing and transferring Ethereum-based tokens has been the fresh victim of a Domain Name Server (DNS) attack on Tuesday.

DNS attacks are the ones that redirect a site’s visitor to another wrong IPs and allows the attacker to collect login credentials of all users authenticating on the false portal. In the recent attack, nearly $150,000 worth of Ether tokens are reported to have been stolen.

Soon after this came to the notice, users of the MyEtherWallet community started reporting about this on their Reddit and Twitter accounts. The users reported that they were redirected to a similar looking website created by scammers wherein the login credentials were soon stored after being entered.

A Reddit user with the account name “rotistain” who was a victim to this hack, said: “Woke up today, Put my computer on, went on to myetherwallet and saw that myetherwallet had an invalid connection certificate in the corner. I thought this was odd. https://i.imgur.com/2x9d7bR.png . So I double checked the url address, tripple checked it, went on google, got the url . Used EAL to confirm it wasn’t a phisihing site. And even though every part of my body told me not to try and log in, I did. As soon as I logged in, there was a countdown for about 10 seconds and A tx was made sending the available money I had on the wallet to another wallet ” 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29.

The team at MyEtherWallet quickly took notice of this matter and told the MEW user community that it was researching the matter. The team made a Twitter announcement saying “Couple of DNS servers were hijacked to resolve http://myetherwallet.com  users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.”

In a Reddit post, the MEW team gave an explanation saying that there is no lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.

The team further explained: “A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime. Affected users are likely those who have clicked the "ignore" button on an SSL warning that pops up when they visited a malicious version of the MEW website. We are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible.”

Kevin Beaumont, a CyberSecurity expert said that the MEW website has been compromised on a DNS level after the Amazon’s internet domain service was hijacked and was used to reroute traffic.