Video: Why Amazon is the world's most innovative tech company -- for now.
Attackers on Tuesday pulled off a complex attack using kinks in core internet infrastructure that caused users of an Ethereum wallet developer's website to be redirected to a phishing site.
Users of MyEtherWallet.com lost around $150,000 to the attackers after failing to take heed an HTTPS browser warning that the site they'd been directed to was using a self-signed digital certificate.
MyEtherWallet.com developers said in a statement[1] on Reddit that a number of Domain Name System (DNS) servers were hijacked at 12pm UTC to point users to a phishing site hosted on a Russian IP address. The redirects occurred for about two hours.
Anyone who logged into their account would have had their credentials compromised. Also, browsers already signed in would have transmitted login information via browser cookies. Both outcomes give the attackers a chance to log in to the real site and steal Ethereum.
Cloudflare described the incident as a BGP or Border Gateway Protocol "leak" that allowed the attackers to wrongly announce protocol (IP) space owned by Amazon's Route 53 managed DNS service, which MyEtherWallet.com[2] uses.
BGP maintains a table of available IP networks and finds the most efficient routes for internet traffic. ISPs announce IP addresses to other networks they peer with.
During the attack, eNet Inc, an Ohio-based IP service provider, was wrongly announcing parts of AWS's IP space to its peers and forwarded them to internet backbone provider Hurricane Electric, which in turn affected Cloudflare's DNS directory resolver.
"During the two hours leak, the servers on the IP range only responded to queries for myetherwallet.com," explained Cloudflare engineer Louis Poinsignon.