nanog mailing list archives
Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
From: Fredrik Korsbäck <hugge () nordu net>
Date: Tue, 24 Apr 2018 22:03:46 +0200
"that depends". we for sure know that 150K or so got immediately snatched of the bat, but how much more wallets is at stake? no one knows. What is known however is that they are trying to deploy smokescreens with tons of transfers moving ETH around wallets and all seems to be ending up sooner or later in this account. https://etherscan.io/address/0xb3aaaae47070264f3595c5032ee94b620a583a39 Which is good for 17MUSD. That doesn't really matter though - i wanna speak what we do about this in the DFZ. Can someone from HE comment on how your ingress route-filtering policy looks like towards your customers? I typically base my peering-relationships on people/operators that i have some kind of level of trust in.
Is MyEtherWallet really doing 500k/hr in business though?On Apr 24, 2018, at 2:35 PM, Fredrik Korsbäck <hugge () nordu net> wrote: Aloha. Surprised this hasnt "made the news" over at this list yet. https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44RM/Yqk5GHSpCQAJ https://twitter.com/barton_paul/status/988788348272734217 TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/) I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939) that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the problem in almost all recent hijacks. Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help here) to track how big the propagation was? Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift transfers without having actual access to the real site (for good ....and bad). -- hugge @ 2603
-- hugge
Current thread:
- The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Fredrik Korsbäck (Apr 24)
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Stephane Bortzmeyer (Apr 24)
- Message not available
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Fredrik Korsbäck (Apr 24)
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Job Snijders (Apr 24)
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Fredrik Korsbäck (Apr 24)
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Jack Bates (Apr 24)
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Daniel Corbe (Apr 24)
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Fredrik Korsbäck (Apr 24)
- <Possible follow-ups>
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Hank Nussbacher (Apr 24)
- Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours. Hank Nussbacher (Apr 24)