A hacker managed to phish cryptocurrency holders on Tuesday morning by briefly hijacking internet traffic from MyEtherWallet.com.
For about two hours, the hacker re-routed traffic from the cryptocurrency wallet provider to a lookalike version of the site. The bogus site secretly funneled any deposits in the Ether virtual currency to a hacker-controlled address.
Unfortunately, dozens of people may have fell for the scheme. The hacker-controlled address shows it receiving about 180 transactions during the incident, before transferring 215 in Ether (or about $151,000) to a separate wallet.
UK-based security researcher Kevin Beaumont noticed the attack and said the culprit was ran the fake MyEtherWallet site from a server in Russia. The hacker also appears to be quite wealthy, and controls a wallet that contains $17 million in Ether.
To pull off the phishing scheme, the hacker exploited the Domain Name System, or how the web routes traffic. The DNS essentially acts as the internet's phone book, translating domain names to IP addresses so that your computer can visit a website.
How the hackers tampered with the DNS traffic isn't clear. But Beaumont said in his blog post that it involved re-routing traffic from Amazon's internet infrastructure, which is used by many major websites.
MyEtherWallet confirmed the incident but insisted it was "not due to a lack of security on the @myetherwallet platform." Instead, it blamed "a decade-old hacking technique [whereby] hackers find... vulnerabilities in public facing DNS servers."
"A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime," according to MyEtherWallet, which also urged people "to ignore any tweets, reddit posts, or messages of any kind which claim to be giving away or reimbursing ETH on behalf of MEW (MyEtherWallet)."
People who visited the hacker's MyEtherWallet page during the incident would've encountered a pop-up on their browser, warning them that the site was a running an untrusted digital certificate. However, users may have ignored the alert, not realizing it meant the site was a fake.
But perhaps the larger worry is whether the hacker can pull off the hijacking again. In his blog post, Beaumont said no one noticed the attack until after it stopped, and other sites may have been targeted, too.