The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
Jack Bates
jbates at paradoxnetworks.net
Tue Apr 24 20:34:47 UTC 2018
On 4/24/2018 1:35 PM, Fredrik Korsbäck wrote:
> Surprised this hasnt "made the news" over at this list yet.
>
In the old days, the list membership would have noticed the hijack. BGP
hijacks used to be a somewhat popular topic, but like spammer chasing, I
think everyone grew bored of it and the lack of things actually being done.
> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
>
>
Why did they use a self-signed cert? If you control the dns or the
endpoint, you can easily get a signed cert. Given how lax people were at
detecting this, they would have gotten further if people hadn't been
complaining about the cert notification.
Jack
More information about the NANOG
mailing list