MyEtherWallet, one of the most popular wallets for Ethereum, suffered a security attack yesterday around 12:00 PM. Some users reported they were redirected to a non-protected website after using the Google’s public DNS. During the attack, the wallets of the users were in risk of being manipulated by hackers.
Users on Reddit who reported the issue said the DNS server was not resolving the MyEtherWallet domain correctly and was redirecting them to an incorrect server that could have stolen the keys of the users. Some users recommended the following: “Please make sure the SSL Connection is always green when you interact with any website.”
The company informed that only some DNS servers were compromised. I a tweet of its official Twitter account, MyEtherWallet explained what happened. The company says this was not a failure caused by MyEtherWallet, but they were still checking the servers: “Couple of DNS servers were hijacked to resolve myetherwallet.com users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.”
One of the users on explained on Reddit how his funds were stolen. He lost 0.9 ethers by trying to access the MyEtherWallet website on his computer. His web browser showed a warning that the connection was not secure. Despite double checking the link several times and using EAL to check the website, the connection was still not secure. Afterwards, the user had a bad feeling about it, but still tried to initiate session. As a result, he lost almost one ether from his wallet and he was not aware of the failure in the Google DNS server. Moreover, after performing scans of his computer with Malwarebytes and Avast, nothing showed up.
Another client of MyEtherWallet also informed he was a victim of this attack, but he lost more funds – 11 ethers. In both cases, the users reported the same destination address to which the stolen funds were transferred to.
MyEtherWallet issued an official statement on its Reddit profile affirming that the security of MyEtherWallet was not compromised and that the attackers managed to take advantage of a vulnerability of the DNS service to harm the users: “It is our understanding that a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site. This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers. A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime. Affected users are likely those who have clicked the “ignore” button on an SSL warning that pops up when they visited a malicious version of the MEW website. We are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible. A message to our MEW community: Users, PLEASE ENSURE there is a green bar SSL certificate that says “MyEtherWallet Inc” before using MEW. We advise users to run a local (offline) copy of the MEW (MyEtherwallet). We urge users to use hardware wallets to store their cryptocurrencies. In the meantime we urge users to ignore any tweets, reddit posts, or messages of any kind which claim to be giving away or reimbursing ETH on behalf of MEW. Your security and privacy is ALWAYS our priority. We do not collect or own any user data. We greatly appreciate your patience and understanding as we try to fight against this criminal phishing attack. To keep up this fight against phishing, we need our amazing community to support.”
This is not the first time MyEtherWallet has problems like this. In October last year, the company was victim of a phishing attack when a group of hackers pretended to be the MyEtherWallet team and sent fraudulent links with the goal of stealing private keys of the users.
In December last year, MyEtherWallet warned its users about the appearance of a false version of its wallet available for download in the Apple App Store. The fale app was already in the top three apps according to the number of downloads at the time it was reported and taken down.