What Happened?

Just yesterday(April 24th, 2018), the DNS of popular ETH wallet, MyEtherWallet(MEW) had been compromised. This had resulted in a single person redirecting all of the active online wallet’s public and private keys to them.

This hack had only affected those who attempted to send 1 or more transactions during the time of the DNS spoof via web browser, and ignored the warning of an invalid SSL.

Thankfully MEW had caught on early, due to complaints of users seeing their funds all sent to “0x1d50588c0aa11959a5c28831ce3dc5f1d3120d29“. Once enough complaints had been received, and the situation had been evaluated, the issue had been fixed resulting in a total of roughly $150,000 USD being stolen.

How?

MEW said in a statement that “a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site…”.

Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap. — MyEtherWallet.com (@myetherwallet) April 24, 2018

“This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”

A DNS is a simple server that’s not typically owned by the app/site owners. It’s what redirects the domain name to the server’s actual IP address… Every site has this in place, since “google.com” is a lot easier to remember than “172.217.14.174”.

Once a hijacker gets a hold of the DNS server, they could redirect the domain to their own server, and control all of the traffic.

DNS hijacking can occur with any site. For example, it had even occurred with Paypal, Google, and even Banks previously.

It’s important to ensure that you make sure you’re visiting the correct site, no-matter where you are on the internet. Always check the domain name twice, and ensure the SSL(if it has one) is functioning correctly.

MEW is currently under fire for not having any proper DNS security in place for their app that’s processing millions(or even billions) worth of USD a day.

Who Did It?

The name of the six fingered man has yet to be released, however some believe to have traced down all of the Ether transactions to a single Binance/Exchange address.

“Here is an entire trace of transactions of yesterday’s phishing scam, all the way to a Binance wallet: