Popular web ethereum wallet MyEtherWallet (MEW) has suffered a cyber-attack on Tuesday 23rd of April. Users of the web app noticed an irregularity when login into the app. The attack saw clients of MyEtherWallet losing around $152,000 worth of ethereum.
Anybody who connected to the MEW services was confronted by an unsigned SSL certificate and a link for verification. Although this is unusual, it is not unheard of. Internet users usually click this kind of links without realizing the dangers.
Clicking on the link would direct the unsuspecting web user to a server in Russia. Fifteen minutes after the cyber-attack, MyEtherWallet quickly notified its users in a warning tweet detailing the dangers of the attack. The tweet revealed that the hackers redirected DNS lookups for its dot-com to a malicious website masquerading as the MEW website. Clients login in on the MyEtherWallet.com were been redirected to a malicious site where the login and payment details of the clients were been stolen. With this information, the hackers went further to empty the wallets of the affected clients.
On Reddit, MyEtherWallet made a statement in regards to the event saying that there were verifying which servers were targeted to help resolve this issue and advised users to run a local (offline) copy of the MyEtherWallet.
Among reactions on Reddit, Micky Socaci, the lead developer at BlockBits.io, explaining the attack advised users not to use myetherwallet.com if they were using Google Public DNS (22.214.171.124 / 126.96.36.199) at the time. “It seems these DNS servers are resolving the domain to a bad server that CAN steal your keys!” he warned.
Although the security breach was not a result of vulnerabilities on myetherwallet.com however, this latest incident highlights the dangers of relying on a centralized interface and also exposes the weakness in Domain Name Servers (DNS).
In another tweet posted, MEW disclosed that it was working on verifying which servers to get it resolved as soon as possible.