[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
- Subject: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
- From: hank at efes.iucc.ac.il (Hank Nussbacher)
- Date: Wed, 25 Apr 2018 09:19:58 +0300
- In-reply-to: <[email protected]>
- References: <[email protected]> <[email protected]>
On 25/04/2018 08:29, Hank Nussbacher wrote:
> On 24/04/2018 21:35, Fredrik KorsbÃ¤ck wrote:
>> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
>> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
>> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
>> with a bogus SSL-cert (but still pretty good) (https://126.96.36.199/)
>> I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939)
>> that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the
>> problem in almost all recent hijacks.
> In addition to HE there was AS19151 -WV Fiber that accepted the /24s,
> but based on BGPlay (attached) it seems that the main culprit was HE
> that propagated it onward.
Would appear no attachments allowed :-(