Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

BGP/DNS Combo Nets Hackers Thousands in Ethereum

Friday, April 27, 2018 By

Unusual BGP/DNS attack sees ETH users scammed, while it emerges that hacked exchange Coincheck made a fortune just before major security lapse


While cryptocurrency heists are increasingly popular among criminals, the most recent to emerge demonstrates just how serious the attackers can be.

Certain visitors to popular online Ether wallet ‘MyEtherWallet’ were presented with an unsigned SSL certificate for a period of two hours over the weekend. Clicking through and dismissing that warning cost several users their Ethereum, to the tune of around $13,000 in total, as the unsigned certificate was in fact due to the visitors being redirected to a fake site.

BGP/DNS Combo Nets Hackers Thousands in Ethereum

The redirect was the result of attackers hijacking a Border Gateway Protocol router near an internet exchange in Chicago to reroute DNS traffic to Amazon's Route 53 commercial cloud service.

It is our understanding that a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site. A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime. Affected users are likely those who have clicked the "ignore" button on an SSL warning that pops up when they visited a malicious version of the MEW website, said MyEtherWallet in a statement.

The attackers’ wallet already contains more than $17 million in Ethereum, making the attack take on a more ominous tone - presumably there were other reasons for the mass redirection as well as stealing a few thousand in Ethereum. However, MyEtherWallet is the only service known to have been affected by the attack so far.

Although rerouting DNS traffic is a relatively common tactic by hackers, and BGO hijacking is a well-known exploit of a flaw in the internet’s infrastructure, it’s unusual for both vectors to be used together. Double Pulsar researcher Kevin Beaumont pointed out in his blog on the subject that: “This is the largest scale attack I have seen which combines both [DNS rerouting and BGP hijacking], and it underscores the fragility of internet security.

That fragility will certainly be a core concern at the upcoming GISD spring edition 2018 in Geneva. Board level security professionals from UBS, GlaxoSmithKline and International Labour Organization will round out an expert panel delivering and debating key industry insights. Registration for security professionals is free, and attendees are vetted to ensure a sales-free environment.

Elsewhere in the world of crypto-security it has emerged that Japan-based Coincheck Inc, an exchange that triggered wide calls for regulation after suffering a massive theft, was making considerable profits before the event. According to Bloomberg, the exchange earned 53.2 billion yen ($490 million) from April 2017 through January - contrast that with the Japan Exchange Group, owner of the Tokyo Stock Exchange and Osaka Exchange, which earned 66.1 billion yen for all of 2017. Coincheck saw nearly $500 million in digital tokens vanish from a ‘hot wallet’ at the exchange in January 2018.

As a result of the hack, the Japanese Financial Services Agency (FSA) sent ‘punishment notices’ seven crypto exchanges and temporarily halted the activities of two more after a round of inspections.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge commented on the increased regulatory focus at the time, saying: “In a long term prospective, this is a very good news for Bitcoin and cryptocurrencies. The regulator properly enforces security and reliability requirements and thus brings trust to the market. Many other countries should defer to Japanese example to regulate and police this emerging market for the benefit of people who trade cryptocurrencies.

"However, in the near future, we will likely see many more breaches including serious ones. The regulation and particularly cybersecurity standards are nascent at the very best. Many cryptocurrency companies and stock exchanges face very aggressive competition and have to sacrifice their cybersecurity resources to keep their market share.

"While for the attackers, cryptocurrencies are a low hanging fruit that brings very good profits almost without any risks to be traced and halted compared to banking fraud and money hacking."

It is certain that regulation in the space is coming soon, as was made clear by the CEO of US Nasdaq Adena Friedman, who told CNBC: “Certainly Nasdaq would consider becoming a crypto exchange over time. If we do look at it and say 'it's time, people are ready for a more regulated market,' for something that provides a fair experience for investors."

Whether regulation does ultimately make crypto a safer speculative option, it is also certain that crypto-currencies will continue to be a popular ‘low hanging fruit’ option for attackers in the short term.


Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment

High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share