Before yesterday, MyEtherWallet — the most popular client-side interface for generating and managing Ethereum wallets — confirmed that several of its users were victims of a DNS hack in which hundreds of thousands of dollars in Ether were stolen.

As reported by Techcrunch:

“One fraud tracker identified two wallets (here and here) used in the attack and they led to what looks like a holding wallet (here) that collected more than 520 Ether today. That would be around $365,000 at today’s price of $700 per ETH. The actual amount taken could be higher still. The holding wallet leads to a larger wallet, which has a balance of more than $17 million in Ether and a constant stream of incoming transactions. That’s not to say that $17 million was stolen — that isn’t likely — but the attackers could be using other wallets which haven’t yet been tracked but eventually lead to this larger one.”

What happened?

A couple of Domain Name System (DNS) servers that resolved Myetherwallet.com’s domain name were compromised and redirected to a phishing site with an IP located in Russia.

Although browsers warned that the website was not safe, many users innocently ignored it and accessed their wallets, using their private keys or the JSON file, which led to the theft of their available funds.

These DNS exploits are relatively common on the Internet. To understand why this happens, you have to understand how the domain system works.

In layman terms, the Domain Name System (DNS) is a protocol that redirects a user-friendly domain name, such as myetherwallet.com, to a numerical Internet Protocol (IP) address where the site is hosted (e.g. 100.10.10.100).

By exploiting the DNS and redirecting the user-friendly domain to another IP where the phishing site is located, attackers can steal all the data entered on the site by the user.

How Can This Be Prevented

Check the SSL Cert

One of the easiest ways to avoid falling into this type of DNS attack is to use a secure HTTPS connection and always verify that the website with which you are interacting has an SSL / TLS certificate issued by a third party to the correct domain, in addition to making sure that the domain name of the SSL/TLS certificate is spelled correctly.

Use a Hardware Wallet

Those who used Hardware wallets to access their funds were not affected since the private key, which signs the transactions, never leaves the device. Metamask’s users were not affected neither as the phishing site didn’t work with the browser extension wallet.

Why this same attack cannot happen on SelfKey