Attack from DNS to MyEtherWallet takes $152,000 in cryptomonedas

A few days ago, the service of cryptokines Etheum (ETH) MyEtherWallet suffered a DNS kidnapping attack (now I explain, don’t worry) that he managed to empty a lot of cryptokines until you get a total of $152,000 It’s not bad for an attack that barely lasted a few hours. Let’s see how cyber-criminals did it.

We have already talked on some occasion about cryptographic services, for example in the entrance where we recommended to keep the Bitcoins under the mattress. If I had kept them there, this attack wouldn’t have affected you.… but of course, meet all the safety requirements that allow you to sleep in peace with your crypt- savings under the mattress is not easy, so there is many users who trust portfolio services (wallets) online. One of

They’re My Ether Wallet. This service allows you to generate a wallet safely and store the credentials and private keys on your computerSo you have the key to enter, but the wallet is in the cloud, an average security commitment between having it completely delegated and installing it on your computer.

This service is very good and very useful, Many people use it to store ETH-based cryptomonedas they want to save in the long term, So they don’t have them in an Exchange where they’re in principle less secure… and as the investment is in the long term they don’t have the need to buy or sell either, so in a static portfolio it seems to be where they are best.

The attack: DNS kidnapping

Last April 24, some users realized that by accessing MyEtherWallet the browser would return an error to the TLS certificate on the page (the green candadito, to understand us). But as unfortunately users are used to this type of failure as when a certificate expires and the system administrator has not yet renewed it or as when we access a web with a self-signed certificate without a trust entity behind it, because many of them simply ‘accepted’ the error and continued to navigate the service. In fact, the notice was legitimate since No.

have access to the real MyEtherWallet site, but to a copy with the same look where they introduced their username and password as they always did (come on, an attack of phishing of all life but 2.0). In doing so, cybercriminals were doing their credentials and accessing the real service, moving all the coins in the user’s portfolio to another portfolio of Malotes.

That said seems easy, but for power in-personar at the service of MyEtherWallet they did not use any evil email where they posed as service administrators and provided you with a link pointing to the counterfeit site, but they did it at DNS level.. The criminals tthey had access to the DNS servers of an ISP in Russia and managed to publish on some DNS servers that the IP address of the MyEtherWallet site was actually the IP address of the falsified site, so on the URL of your browser you did not see a false address as it was a few years ago <

/ strong > when an email from Santander bank came to you saying that you would enter at http: / / banco.santander.malos.com to verify your credentials. On this occasion, your browser showed the original URL of the site https: / / www.myetherwallet.com and There was no way to see in plain sight that it was an attack… except for the lock and the certificate notice..

The attack It only lasted a few hours. the DNS servers were immediately warned of the fraud and replaced the falsified IP address with the real one for users to reconnect to the real site. The bad guys only had a few hours to capture credentials and move the cryptomonedas from the original portfolios to others controlled by it… but in total they were made with approximately 152,000 dollars when moving 216 ETHs (at approximately $700 each).

Lessons learned

What if the certificate error comes out when we access our bank’s page? Well, with a few exceptions, 90% of users would go equal to the bank’s page without giving more importance to the certificate: ‘It will have expired’. We see again how important information security education is, at least in terms of minimum. We have more and more information online, more parts of our life are on the net, and we cannot delegate to third parties all this information without at least putting everything in our

by hand to ensure safe access to these data. From now on, if you see that the page you try to access is different from the usual, if you get a suspicious mail where you are asked for credentials, or if the little candadito that is always green gets red and shouts ‘AuuuAAA AuuuuAAA we are all going to die!! ‘, it is better that you distrust and try again at another time or from another mobile / computer simply to assure you that you are accessing where you are supposed to be accessing.