Native speakers of Russian were likely involved in a sophisticated hack that redirected traffic to Amazon’s Route 53 DNS service last month in order to steal funds from users of MyEtherWallet, a tool for managing the cryptocurrency ethereum, according to a report from security firm RiskIQ.
The hackers deployed a phishing toolkit called MEWkit, which mimics the functionality of MyEtherWallet to transfer victim funds to addresses under their control, according to the report. They also managed to send bogus messages through the Border Gateway Protocol, a mechanism internet service providers use to coordinate routing of internet traffic, to route traffic for Route 53 to servers under their control.
“Neither AWS nor Amazon Route 53 were hacked or compromised,” Amazon said in a statement at the time reported by The Verge. “An upstream Internet Service Provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered.”
Then, when users tried to access MyEtherWallet.com, those servers responded with a bogus IP address for the domain name, sending them to a lookalike page running MEWkit, within the network of the Russian web host WebShield. Though the users typed in the correct address, it was as if they had clicked a phishing link, as the site was set up to siphon coins from their wallets. They likely would have had to click through a warning about the site’s security certificate, according to RiskIQ.
Comments in the phishing site’s code suggest it was written by a native Russian speaker, according to the report. Exactly how much was stolen, and who stole it, remains unclear.
“Until the actor is apprehended or law enforcement provides insights into the exact addresses used in the MEWKit attacks, we will never know its precise haul,” according to the report. “We do know that various wallets have been published on social media and forums that ostensibly amount to many millions of dollars in revenue, but we have no way to link this to MEWKit with high confidence. However, with the number of domains registered, the servers maintained, and the high levels of activity, we can surmise that the income from this attack must be substantial enough to not only sustain the operation but also make a profit.”