On April 24th, MyEtherWallet (or MEW) users in certain areas suffered from domain hijacking and, when visiting official MyEtherWallet.com domain, may be redirected to phishing sites (physically located in Russia). As of this writing, there are 198 victims falling prey with $320K US dollars loss.

Details

Around 12:00 PM UTC on April 24th, the DNS entries of certain Amazon servers were compromised [2], and a portion of web-browsing traffic (i.e., HTTPS-based web requests) to MEW were redirected to a fake phishing website. The fake website was camouflaged to have the same appearance with MEW. Note the phishing website used a self-signed TLS certificate, which is considered insecure by commodity browsers with warning pop-ups. However, users may ignore the warnings and still choose to proceed and enter their key information, which will then be stolen by attackers to immediately transfer remaining ETH balances.



The stolen ETHs had been transferred directly to two fake phishing addresses as shown below:

  Fake Phishing Address Victims Stolen ETHs Label
1 0x1d50588c0aa11959a5c28831ce3dc5f1d3120d29 176 216.055725770569573281 Fake_Phishing899
2 0xf203a3b241decafd4bdebbb557070db337d0ad27 22 308.7937179992415514 Fake_Phishing900

In total, there are 524.849443769811124681 ETHs stolen and 198 unique victim users. You can find the transactions related to the first Fake_Phishing899 address in the following figure.




After collecting the stolen ETHs, attackers immediately send them to an exchange address (0xb3aaaae47070264f3595c5032ee94b620a583a39) for money laundering purpose:




If we keep track of the flow of stolen ETHs, we are able to reconstruct the following graph. The stolen ETHs are finally deposited into an exchange.



Conclusion

This incident reminds us the decade-old domain hajacking technique and its implications (or challenges) on providing a reliable web-based service such as crypto-currency wallets. With that, we strongly recommend end-users to exercise extra care when exposing your private keys or other login information. In the meantime, service providers like MEW may think possibilities to provide enhanced security mechanisms (e.g., two-factor authentication) to mitigate or even eliminate these risks.

About US

PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.

References