The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
dcorbe at hammerfiber.com
Tue Apr 24 18:59:05 UTC 2018
Is MyEtherWallet really doing 500k/hr in business though?
> On Apr 24, 2018, at 2:35 PM, Fredrik Korsbäck <hugge at nordu.net> wrote:
> Surprised this hasnt "made the news" over at this list yet.
> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://220.127.116.11/)
> I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939)
> that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the
> problem in almost all recent hijacks.
> Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help
> here) to track how big the propagation was?
> Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since
> you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift
> transfers without having actual access to the real site (for good ....and bad).
> hugge @ 2603
More information about the NANOG