Popular Ethereum wallet interface MyEtherWallet (MEW) today suffered a domain name system (DNS) hacking that sent users to the wrong servers, exposing their login credentials.
MEW users immediately began warning one another on Twitter and Reddit. They said when the user visits the purse site, he will be unnecessarily redirected to a resource similar in design, but created by scammers. When entering a login and password, the site steals funds from user accounts.
Posting on Reddit, a user called “rotistain” states that a hacker gained access to his account and stole his balance.
He further wrote: “Woke up today, Put my computer on, went on to myetherwallet and saw that myetherwallet had a invalid connection certificate in the corner. I thought this was odd. https://i.imgur.com/2x9d7bR.png . So I double checked the url address, tripple checked it, went on google, got the url . Used EAL to confirm it wasn’t a phisihing site. And even though every part of my body told me not to try and log in, I did. As soon as I logged in, there was a countdown for about 10 seconds and A tx was made sending the available money I had on the wallet to another wallet ” 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29 “
At least 215 ETH (worth around $150,000) was transferred to a wallet called “Fake_Phishing899” which was then moved to another address.
DNS hacks can allow an attacker to direct a site’s visitors to the wrong IPs. An attacker can collect login credentials for every user authenticating on the false portal.
At official Twitter, MyEtherWallet team tweeted that it was researching a DNS issue, but the exact scale of the problem is still not defined. They also confirmed the attack on Reddit and stated it would be several hours before service would be fully restored.
Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.
One Reddit post noted that with such an attack, funds are at risk, and that API requests and logins could have ended up being redirected to a server hosted by another party.