AWS traffic hijack: Users sent to phishing site in two-hour cryptocurrency heist

Criminals pull off a brazen attack using weakness in core internet infrastructure.

Attackers on Tuesday pulled off a complex attack using kinks in core internet infrastructure that caused users of an Ethereum wallet developer's website to be redirected to a phishing site.

Users of MyEtherWallet.com lost around $150,000 to the attackers after failing to take heed of an HTTPS browser warning that the site they'd been directed to was using a self-signed digital certificate.

MyEtherWallet.com developers said in a statement on Reddit that a number of Domain Name System (DNS) servers were hijacked at 12pm UTC to point users to a phishing site hosted on a Russian IP address. The redirects occurred for about two hours.

Anyone who logged into their account would have had their credentials compromised. Also, browsers already signed in would have transmitted login information via browser cookies. Both outcomes give the attackers a chance to log in to the real site and steal Ethereum.

See: The secret to being a great spy agency in the 21st century: Incubating startups

Cloudflare described the incident as a BGP or Border Gateway Protocol "leak" that allowed the attackers to wrongly announce protocol (IP) space owned by Amazon's Route 53 managed DNS service, which MyEtherWallet.com uses.

BGP maintains a table of available IP networks and finds the most efficient routes for internet traffic. ISPs announce IP addresses to other networks they peer with.

During the attack, eNet Inc, an Ohio-based IP service provider, was wrongly announcing parts of AWS's IP space to its peers and forwarded them to internet backbone provider Hurricane Electric, which in turn affected Cloudflare's DNS directory resolver.

"During the two hours leak, the servers on the IP range only responded to queries for MyEtherWallet.com," explained Cloudflare engineer Louis Poinsignon.

"Any DNS resolver that was asked for names handled by Route53 would ask the authoritative servers that had been taken over via the BGP leak. This poisoned DNS resolvers whose routers had accepted the route."

Because of this state of affairs, anyone using a poisoned DNS resolver, including CloudFlare's own one, would have been returned IP addresses owned by a Russian provider rather than Amazon's IP address.

Cloudflare's DNS resolver 1.1.1.1 was affected in Chicago, Sydney, Melbourne, Perth, Brisbane, Cebu, Bangkok, Auckland, Muscat, Djibouti, and Manilla, with the rest of the world working normally.

Amazon has issued a statement that an upstream ISP was compromised, not AWS or Amazon Route 53 itself.

"Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream internet service provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered," Amazon said.

"These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer's domain to the malicious copy of that domain."

See: Cyberwar: A guide to the frightening future of online conflict

Security expert Kevin Beaumont noted that the attackers were well-resourced, controlling a wallet that currently has nearly $16m in Ethereum. The incident also highlighted well-known weaknesses in core internet infrastructure.

"Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access," he wrote.

"The security vulnerabilities in BGP and DNS are well known, and have been attacked before. This is the largest scale attack I have seen which combines both, and it underscores the fragility of internet security. It also highlights how almost nobody noticed until the attack stopped. There is a blind spot."

Previous and related coverage

AWS announces Secrets Manager, more tools for security

"Security is all of our jobs," Amazon CTO Werner Vogels said Wednesday.

Amazon adds security monitoring and threat defence with GuardDuty

Powered by machine learning, Amazon GuardDuty analyses public and AWS-generated events to notify users of anomalies and offer remediation advice.

AWS acquires threat detection firm Sqrrl

Sqrrl's team has past connections to US intelligence agencies.