Hackers used a man-in-the-middle attack to compromise an Amazon DNS server leading to about $152,000 in Ethereum cryptocurrency being stolen from MyEtherWallet.com customers when they were redirected to a phishing site where their wallet’s login credentials were stolen.
The incident began on Tuesday when cybercriminals used a border gateway protocol, a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems, rerouting traffic intended for Amazon’s Route 53 DNS service to a second server inside an Equinix data center and then on to a server in Russia, according to reports from ESET’s Graham Cluley and a CloudFlare blog.
“The server used in this incident was not an Equinix server but rather customer equipment deployed at one of our Chicago IBX data centers. We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment,” an Equinix spokesperson told SC Media.
The IPs involved, 18.104.22.168/23, 22.214.171.124/23, 126.96.36.199/23 and 188.8.131.52/23, are all allocated to Amazon. CloudFlare said during the two-hours when malicious actors had control of the DNS server the IPs only responded to requests for myetherwallet.com and these requests were then sent along the chain to the Russian server where they were delivered to a phishing website where the victim’s wallet credentials were stolen leading to their Ethereum wallets being emptied.
“Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access,” wrote security researcher Kevin Beaumont.
Helping fool even an observant person was that the fake website showed a correct, but self-signed, security certificate. However, Cluley noted the fake site’s root certificate page did indicate the certificate could not be trusted, but this was either not spotted or ignored by the victims.
“Affected users are likely those who have clicked the “ignore” button on an SSL warning that pops up when they visited a malicious version of the MEW website,” myetherwallet.com said in a statement on Reddit.
Amazon denied it was responsible for the leak that allowed the DNS hijacking to take place, saying in a statement an upstream ISP was compromised “by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered.”