Popular crypto wallet MEW hit by DNS attack that drained some users’ accounts – TechCrunch
There may be concern, tears and misplaced cash on the earth of crypto as soon as once more after MyEtherWallet (MEW), probably the most fashionable wallets on the web, was hit by a DNS hack that noticed some customers lose their cryptocurrency.
MEW mentioned in an announcement that “a few Area Title System registration servers had been hijacked round 12PM UTC 24 April to redirect customers to a phishing website.” Not all guests to the location throughout the hijack had been impacted, however MEW mentioned that “a majority” of those that had been had been utilizing Google’s DNS.
“We’re at present within the means of verifying which servers had been focused to assist resolve this problem as quickly doable,” the corporate added, confirming that it has since secured its web site. The corporate recommends those that had used Google DNS to change to Cloudflare’s.
Wikipedia, country-specific variations of Microsoft, Google and PayPal and even banks have been hit by related assaults earlier than.
An incident like this doesn’t compromise the location straight, however, within the case of MEW, it led some customers of the service to insecure web sites that aren’t MEW. From there, those that entered non-public key data with out realizing that they had been phished risked having their information snagged by the attackers on the opposite aspect. With that data, the attackers might acquire entry to their account and drain its contents. (Be aware: it is a superb purpose why persons are suggested to by no means enter non-public keys manually, and why safe is extremely really useful.)
It’s arduous to quantify the affect of an assault like this as a result of MEW is such a well-used and trusted service, whereas MEW mentioned it’s nonetheless gathering data on precisely what occurred.
Coindesk stories that $150,000, or 216 Ether, was taken, however the determine is probably going greater. One fraud tracker recognized two wallets (right here and right here) used within the assault, and so they result in what seems to be like a holding pockets (right here) that collected over 520 Ether at present. That might be round $365,000 at at present’s value of $700 per ETH.
The precise quantity taken may very well be greater nonetheless. The holding pockets results in a bigger pockets which has a steadiness of over $17 million in Ether and a continuing stream of incoming transactions. That’s to not say that $17 million was stolen — that isn’t possible — however the attackers may very well be utilizing different wallets which haven’t but been tracked however ultimately result in this bigger one.
Past utilizing like Trezor or Ledger, crypto pockets customers — properly, web customers generally — ought to test that the SSL of a web site (proven to the left of the area identify within the browser bar) is safe when they’re coping with non-public data.
That’s the message that MEW gave to its group.
“Customers, PLEASE ENSURE there’s a inexperienced bar SSL certificates that claims “MyEtherWallet Inc” earlier than making any transactions. We advise customers to run an area (offline) copy of the MEW (MyEtherWallet). We urge customers to make use of wallets to retailer their cryptocurrencies,” it mentioned in a Reddit assertion.
These on the lookout for an alternative choice to MEW might flip to MyCrypto, which was began in February by a former MEW co-founder and affords the same service. Neither website holds customers’ crypto or data, as an alternative they permit the checking of accounts and allow transactions to be despatched to the blockchain, after which they’re ferried on to the meant recipient.
Disclosure: The writer owns a small quantity of cryptocurrency. Sufficient to achieve an understanding, not sufficient to alter a life.
Supply hyperlink – https://techcrunch.com/2018/04/24/myetherwallet-hit-by-dns-attack/