The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.

Jack Bates jbates at paradoxnetworks.net
Tue Apr 24 20:34:47 UTC 2018


On 4/24/2018 1:35 PM, Fredrik Korsb├Ąck wrote:
> Surprised this hasnt "made the news" over at this list yet.
>
In the old days, the list membership would have noticed the hijack. BGP 
hijacks used to be a somewhat popular topic, but like spammer chasing, I 
think everyone grew bored of it and the lack of things actually being done.

> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
>
>
Why did they use a self-signed cert? If you control the dns or the 
endpoint, you can easily get a signed cert. Given how lax people were at 
detecting this, they would have gotten further if people hadn't been 
complaining about the cert notification.

Jack


More information about the NANOG mailing list