The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
Daniel Corbe
dcorbe at hammerfiber.com
Tue Apr 24 18:59:05 UTC 2018
Is MyEtherWallet really doing 500k/hr in business though?
> On Apr 24, 2018, at 2:35 PM, Fredrik Korsbäck <hugge at nordu.net> wrote:
>
> Aloha.
>
> Surprised this hasnt "made the news" over at this list yet.
>
> https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f
>
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44RM/Yqk5GHSpCQAJ
>
> https://twitter.com/barton_paul/status/988788348272734217
>
> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
>
> I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939)
> that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the
> problem in almost all recent hijacks.
>
> Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help
> here) to track how big the propagation was?
>
> Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since
> you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift
> transfers without having actual access to the real site (for good ....and bad).
>
> --
> hugge @ 2603
>
More information about the NANOG
mailing list