BGP hijacking: Last night, users of MyEtherWallet began to notice something strange. By signing in to the service, there was a non-signed SSL certificate and of course a warning.
It was unusual, but it was the kind of problem that usually some react without thinking.
But anyone who clicked on this certificate warning was redirected to a server in Russia, which emptied the user's digital wallet. Judging by the transaction activity, the attackers seem to have already obtained more than 17 million dollars in Ethereum.
MyEtherWallet confirmed the attack on a statement at Reddit.
"We are currently in the process of verifying the servers to resolve this issue as soon as possible," the company told users. "We advise users to run a local (offline) copy of MyEtherWallet."
The attackers did not appear to have violated MyEtherWallet itself, but used an Internet infrastructure blocking myetherwallet.com's DNS requests. So they made the Russian server look like the legitimate owner of the address.
To intercept these requests, hackers used a technique known as BGP hijacking. This technique spreads false routing information to intercept it movementduring transport. Typically, using such a hijacker requires hacking BGP servers operated by an ISP (Internet Infrastructure Provider). In this case, an ISP from Chicago was hijacked, although the root of the evil is still unknown.
So far, MyEtherWallet is the only confirmed service to have this kind of attack.
It should be noted that BGP hijacking has long been known as a fundamental weakness in internetwork. The story is a very good example of what can happen when we operate automatically, or impulsively without thinking.
See the certificate used:
