MyEtherWallet Domain-Hijacking Financially Victimized 198 Users, Causing $320K Loss

最新推荐文章于 2022-10-28 18:12:05 发布

转载最新推荐文章于 2022-10-28 18:12:05 发布 · 385 阅读

【区块链】同时被 2 个专栏收录

256 篇文章

订阅专栏

安全资讯

22 篇文章

订阅专栏

2023年4月24日，MyEtherWallet的部分用户遭受域名劫持攻击，被重定向到钓鱼网站，导致约198名用户的逾524 ETH被盗，损失超过32万美元。此次攻击通过篡改Amazon服务器的DNS记录实现，受害者在浏览器警告下仍可能继续操作并泄露私钥。

On April 24th, MyEtherWallet (or MEW) users in certain areas suffered from domain hijacking and, when visiting official MyEtherWallet.com domain, may be redirected to phishing sites (physically located in Russia). As of this writing, there are 198 victims falling prey with $320K US dollars loss.

Details

Around 12:00 PM UTC on April 24th, the DNS entries of certain Amazon servers were compromised [2], and a portion of web-browsing traffic (i.e., HTTPS-based web requests) to MEW were redirected to a fake phishing website. The fake website was camouflaged to have the same appearance with MEW. Note the phishing website used a self-signed TLS certificate, which is considered insecure by commodity browsers with warning pop-ups. However, users may ignore the warnings and still choose to proceed and enter their key information, which will then be stolen by attackers to immediately transfer remaining ETH balances.

The stolen ETHs had been transferred directly to two fake phishing addresses as shown below:

In total, there are 524.849443769811124681 ETHs stolen and 198 unique victim users. You can find the transactions related to the first Fake_Phishing899 address in the following figure.

After collecting the stolen ETHs, attackers immediately send them to an exchange address (0xb3aaaae47070264f3595c5032ee94b620a583a39) for money laundering purpose:

If we keep track of the flow of stolen ETHs, we are able to reconstruct the following graph. The stolen ETHs are finally deposited into an exchange.

Conclusion

This incident reminds us the decade-old domain hajacking technique and its implications (or challenges) on providing a reliable web-based service such as crypto-currency wallets. With that, we strongly recommend end-users to exercise extra care when exposing your private keys or other login information. In the meantime, service providers like MEW may think possibilities to provide enhanced security mechanisms (e.g., two-factor authentication) to mitigate or even eliminate these risks.