MyEtherWallet Domain-Hijacking Financially Victimized 198 Users, Causing $320K Loss

Summary

On April 24th, MyEtherWallet (or MEW) users in certain areas suffered from domain hijacking and, when visiting official MyEtherWallet.com domain, may be redirected to phishing sites (physically located in Russia). As of this writing, there are 198 victims falling prey with $320K US dollars loss.

Details

Around 12:00 PM UTC on April 24th, the DNS entries of certain Amazon servers were compromised [2], and a portion of web-browsing traffic (i.e., HTTPS-based web requests) to MEW were redirected to a fake phishing website. The fake website was camouflaged to have the same appearance with MEW. Note the phishing website used a self-signed TLS certificate, which is considered insecure by commodity browsers with warning pop-ups. However, users may ignore the warnings and still choose to proceed and enter their key information, which will then be stolen by attackers to immediately transfer remaining ETH balances.

The stolen ETHs had been transferred directly to two fake phishing addresses as shown below:

In total, there are 524.849443769811124681 ETHs stolen and 198 unique victim users. You can find the transactions related to the first Fake_Phishing899address in the following figure.

After collecting the stolen ETHs, attackers immediately send them to an exchange address (0xb3aaaae47070264f3595c5032ee94b620a583a39) for money laundering purpose:

If we keep track of the flow of stolen ETHs, we are able to reconstruct the following graph. The stolen ETHs are finally deposited into an exchange.

Conclusion

This incident reminds us the decade-old domain hajacking technique and its implications (or challenges) on providing a reliable web-based service such as crypto-currency wallets. With that, we strongly recommend end-users to exercise extra care when exposing your private keys or other login information. In the meantime, service providers like MEW may think possibilities to provide enhanced security mechanisms (e.g., two-factor authentication) to mitigate or even eliminate these risks.

About US

PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (including smart contract auditing). Please contact us at Telegram, Twitter, or Email.

References

• [1] [Official Website of MyEtherWallet]: https://www.myetherwallet.com
• [2] [Twitter: ‘‘BGP hijack this morning affected Amazon DNS. eNet (AS10297) of Columbus, OH’’, April 24th, 2018]: https://twitter.com/InternetIntel/status/988792927068610561?ref_src=twsrc%5Etfw

• [3] [Reddit: ‘‘Official statement regarding DNS spoofing of MyEtherWallet domain’’, April 25th, 2018]: https://www.reddit.com/r/MyEtherWallet/comments/8eloo9/official_statement_regarding_dns_spoofing_of/

https://medium.com/@peckshield/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536