You have probably heard bad news from MyEtherWallet. On April 24, official representatives announced that unknown hackers have hijacked several DNS servers, users were redirected to the phishing sites.
Reddit users were the first to draw the attention to the problem- while accessing the wallet, they were automatically redirected to another site while all their funds were sent to third-party wallets.
One of the commenters wrote: ‘I’ve lost all my ETH funds.’ Within three hours after the hackers’ attack over $152,000 were stolen in ETH equivalent. However, I assume that total losses could be many times more.
How did it happen?
The crooks used an old (but highly effective) method, known as a hijacking of BGP for retargeting DNS servers, in simple words- phishing. The absence of the MyEtherWallet official certificate was the only mean to recognize the scam. However, looking at the losses very few users paid attention to this.
This is not the first time MyEtherWallet encounters the retargeting of DNS servers. Earlier, at the beginning of January, representatives of the project Blue Protocol drew the community attention to the low-security level of MyEtherWallet DNS servers. However, MEW called it ‘a stupid lie.’ Blue Protocol recommends avoiding using MEW, as they are concerned that the issue still exists but developers simply ignore it.
What to do now?
As of now, MEW hasn’t confirmed that DNS attack is over and all issues had been resolved. If you have not used MEW on April 24th, accessing your account using the private key or keystore file, all your funds are safe. Just do not access the MEW website until the issue is fixed by MEW team and you get a ‘green light.’
If you have used MEW during these four unfortunate hours- your wallets are compromised. You need to immediately transfer your funds to new wallet addresses and make sure that you’re the only person to have access to your private keys.
The incident with MEW showed us a real example of the issue for the light wallets. Yesterday crypto users have lost over $150,000 while only MEW was under the attack. Just imagine what happens to the crypto market if more wallets suffer from this issue? Time to learn from others’ mistakes. If you use wallets like MEW, you should follow appropriate rules.
My recommendations for all users:
Always check the green address on your browser address bar. Ordinary SSL is not enough! Use ONLY those services that have passed the validation and obtained an extended named SSL Certificate, which represents the company’s name. On Guarda’s example, it’s Guardarian OÜ [EE].
Does the Web wallet have alternative platforms- desktop or mobile application? Those platforms are much safer as they’ve got secure internal data storage. That’s why Guarda develops non-custodial mobile wallet applications, like Guarda Ethereum Wallet, Guarda Bitcoin Wallet and etc.
It’s much more secure to store large amounts of cryptocurrency on hardware wallets. It should be clearly understood that Web wallets imply managing small amounts of funds, further go desktop and mobile wallets, and hardware wallets - for the large amount of assets storage.
My recommendations for the wallet developers:
Pass the extended validation tests and obtained names SSL Certificates, so that users can check an organization name and domain.
Use Cloudflare DNSSEC to sign your records. IP-addresses returned by the fake DNS were not signed up, as they do not have encrypted keys.
You can choose for your customers to use the DNS over HTTPS endpoint instead of sending DNS queries over plaintext for increased security and privacy.
Support alternative platforms- local wallets, desktop versions and mobile applications.
As for me, I would recommend using all possible alternatives together. This will minimize risks and the attack surface. I would like to endorse MEW team, hope they will find the solution asap. From my side, I may lend a hand to the MEW team and share the experience how we prevent those attacks on Guarda Wallet.