On 24 April, between 13:05 and 14:55 hrs Dutch time, hackers carried out an attack with the aim of stealing cryptocurrency. The website https://www.myetherwallet.com/ was the victim of a Border Gateway Protocol (BGP) hijack, whereby users of this website inadvertently visited a copy of the website, which was hosted on a server in Russia. Unsuspecting users who made a transaction here with their private key were robbed by the hackers. It appears that 215 Ethereum (around EUR 122,000) was stolen in this way. In order to be able to understand how this happened, we actually need to go back to basics. How does the internet work and how does it manage to deliver my data packages to the correct recipient?
In order to ensure, on a worldwide scale, that your data arrives at the correct location, the Border Gateway Protocol (BGP) is used. This comprises the routers of the internet. The sender and recipient addresses are the IP addresses. The BGP network needs to know which servers are responsible for which IP ranges.
BGP hijack: how the internet works
Agreements are made on a worldwide basis about who has control over which IP ranges. The people responsible then advertise these IP ranges to each other, so that it becomes clear to which server the data must be sent. This is the core of the internet, which stems from the time when it was a small network where everyone knew each other and everyone trusted each other. Since the backbone of the internet still works in this way, it provides possibilities for a hacker to advertise using an IP range of another party, whereby data packages arrive at the hacker. Despite this, it is not a simple matter to carry out such an attack.
During the aforementioned hack, an attacker advertised the fact that he could set up a connection to a series of IP addresses that actually belong to Amazon. These IP addresses were used in part as Domain Name System for many of Amazon’s clients, including www.myetherwallet.com. In order to understand how the hackers were able to take advantage of this BGP hijack, it is useful to know how we go from www.myetherwallet.com to an IP address.
What is DNS?
When we go on the internet, we do that by means of requesting a host name, for example www.computest.nl. Since the communication takes place on an IP basis, the host name must first be converted into an IP address. This is achieved by means of the Domain Name System, or DNS. As user, you ask the server which IP address is associated with a particular host name. The user then connects with the IP address that is given in answer by the DNS server.
The MyEtherWallet hack
In this case, the hacker advertised that he had the route to an IP range belonging to Amazon. The server which www.myetherwallet.com converted to an IP address was also included within this range. If a user wants to go to www.myetherwallet.com, then he or she will first be referred to a server of Amazon in order to request the associated IP address (DNS). Since the hacker says that this specific server is from Amazon, then the hacker will answer with an IP address which is under his or her management. And hence the unsuspecting user arrives at a website belonging to the hacker.
The hacker had hosted a website at this IP address, which had the identical look and feel of the genuine MyEtherWallet application, whereby it was impossible for users to distinguish that from the genuine website. Users did, however, receive a warning in the browser that the SSL certificate was not right. The SSL certificate was signed by an unreliable source and modern browsers provide users with a warning about this. Despite this warning, it was still possible for users to continue once they had clicked off the announcement.
In this case, the user arrived at a copy of www.myetherwallet.com, and if he or she used his or her private key in order to make a transaction, that was forwarded to the hacker. This gave the hacker full access to the user’s wallet and the hacker could then steal all of the available cryptocurrency.
In what way could the hack have been prevented?
During the BGP hijack, as well as shortly afterwards, MyEtherWallet was given the full blame. However, MyEtherWallet could not have prevented this hack in the sense that the hackers did not make use of any vulnerabilities in the MyEtherWallet application. The fact that the checks on advertising IP ranges for BGP are limited was an important factor in this attack. At various points in the chain of advertising the Amazon IP ranges, through to the DNS request for the IP address of www.myetherwallet.com, checks could have been carried out that might have stopped the attack. That is not a standard part of BGP, however, which means that this system is still conducted mainly on the basis of trust.
The end user could also have protected himself or herself better by paying attention to the SSL error report provided by the browser. Such warnings are given for a reason, and particularly when it involves money, possibly a great deal of money, it is important that the end user is especially careful.
Cryptocurrency attractive to hackers
Hackers are always thinking up new ways of carrying out attacks which are aimed at stealing cryptocurrency. A great deal of money is involved in this market nowadays and there is little control over that, which of course makes it an attractive target. Therefore, it remains very important that companies involved in this area give plenty of attention to the quality and security of their product. And it goes without saying, end users must be aware of the dangers and fully understand the risks involved in trading with cryptocurrency.