The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
jbates at paradoxnetworks.net
Tue Apr 24 20:34:47 UTC 2018
On 4/24/2018 1:35 PM, Fredrik Korsbäck wrote:
> Surprised this hasnt "made the news" over at this list yet.
In the old days, the list membership would have noticed the hijack. BGP
hijacks used to be a somewhat popular topic, but like spammer chasing, I
think everyone grew bored of it and the lack of things actually being done.
> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://22.214.171.124/)
Why did they use a self-signed cert? If you control the dns or the
endpoint, you can easily get a signed cert. Given how lax people were at
detecting this, they would have gotten further if people hadn't been
complaining about the cert notification.
More information about the NANOG