A huge incident happened in the last two days when MyEtherWallet, which is one of the most popular wallets for storing Ethereum, had its DNS server hacked, which led to users getting phished and losing their Ethereum.
The attack occurred when hackers hijacked MEW’s domain name server and redirected its’ users to a malicious fake copy of the website, which got access of users’ private keys, when they unknowingly entered their details in the spoofed website.
The wallet where the illicit funds were being transferred to, was found to have collected more than 215 ETH, which means a value of around $150,000 in terms of fiat money. The amount was then transferred to an address [0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29] which contained a far larger sum of ETH, at around 24,100, which means a value of around $17 million in terms of fiat money. The addresses used to collect the illicit funds have been used for such illicit attacks in the past.
The developers behind MEW wrote a long post on reddit stating the reason for the hack. They called DNS hijacking to be a common exploit and reiterated that it was not the fault of the affected companies.
They said that MEW follows the best practices in terms of security, and hackers were able to gain access due to finding vulnerabilities in public facing DNS servers. They also added that the majority of the affected users were found to be using Google’s DNS service and requested everyone to use Cloudflare’s DNS instead for enhanced protection.
Prior to MyEtherWallet, other wallet providers had also been hit with the DNS hijacking scheme. For example, Blackwallet, which is the storage wallet for Stellar Lumens tokens, was also affected by a similar hack, as well as EtherDelta, which is a decentralized ERC20 token exchange, in recent months.
Users who accessed the website using a hardware wallet were safe as private keys never leave the hardware. To prevent users from being scammed in the future, MEW advised users of certain steps to keep safe from being phished.
For starters, they recommended their users to download and run an offline copy of MyEtherWallet from Github. They also recommend to install a browser extension which would stop and block malicious web addresses.
Cloudflare later published an article on their website giving an in-depth explanation of the reason of the hack. They also said that the attack was caused due to a BGP leak, which is way more sinister and complex when compared to a simple DNS hijack.
