The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.

Fredrik Korsb├Ąck hugge at nordu.net
Tue Apr 24 18:35:17 UTC 2018


Aloha.

Surprised this hasnt "made the news" over at this list yet.

https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f

https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44RM/Yqk5GHSpCQAJ

https://twitter.com/barton_paul/status/988788348272734217

TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)

I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939)
that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the
problem in almost all recent hijacks.

Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help
here) to track how big the propagation was?

Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since
you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift
transfers without having actual access to the real site (for good ....and bad).

-- 
hugge @ 2603



More information about the NANOG mailing list