phishing

Update 4/25: Cloudflare has published an article on the security incident that led to the MyEtherWallet theft. The firm explains that the attack was the result of a BGP leak, not a simple DNS hijack.

MyEtherWallet, a widely-used client-side Ethereum web wallet interface, fell prey to a DNS server hijacking scheme.

The attack occurred on Tuesday when a hacker hijacked MyEtherWallet’s domain name registration server and redirected MyEtherWallet.com visitors to a malicious copy of the website, which phished user’s private keys when they entered them into the system.

The wallet associated with the incident appears to have collected more than 215 ETH — worth approximately $150,000 at the present exchange rate — from the exploit. However, these funds have been transferred into another wallet that contains nearly 24,100 ETH (~$17 million), and this wallet has been linked to other Ethereum-related phishing scams in the past.

In a statement, MyEtherWallet stressed that DNS hijacking is a common exploit and that these attacks are not the fault of the affected organizations.

“This is not due to a lack of security on the @myetherwallet platform,” the company said on Reddit. “It is due to hackers finding vulnerabilities in public facing DNS servers.”

“A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime,” the statement added.

MyEtherWallet is not the first cryptocurrency website to be the victim of a DNS hijacking scheme. Both BlackWallet — which stores stellar lumens — and decentralized ERC20 token exchange EtherDelta have been hit with similar attacks in recent months.

Notably, users who were directed to the malicious website were safe if they accessed the site using a hardware wallet, as private keys never leave these devices.

To avoid future phishing scams, MyEtherWallet advised users to take several steps to protect themselves from phishing scams.

In addition to storing funds in a hardware wallet, they said that users should download and run an offline copy of MyEtherWallet, which can be obtained from the company’s code repository on GitHub.

It’s also a wise idea to install a browser extension that will block web addresses that are known to be malicious. Many Chrome users choose MetaMask, which doubles as an Ethereum wallet.

Featured Image from Pixabay

vault

A developer with Parity Technologies has published an Ethereum Improvement Proposal (EIP), EIP 999, that seeks to un-freeze the hundreds of millions of dollars worth of ether currently stuck in multi-sig contracts.

EIP 999, drafted by Parity’s Afri Schoedon, proposes that the contract code of Parity’s now-frozen wallet library contract should be patched so that funds stored in affected wallets can be reclaimed by their owners.

Funds in Parity-based multi-sig wallets have been frozen since last November when pseudonymous Github user “devops199” reported that he or she had accidentally exploited a bug in Parity’s multi-sig wallet library contract.

Devops199 inadvertently caused the contract self-destruct, ultimately freezing funds stored in every multi-sig wallet that interfaced with the Parity library contract.

Approximately 513,000 ETH, stored across 584 different wallets, were permanently locked up as a result of the bug. Those funds were worth approximately $150 million at the time; today, they are worth closer to $260 million, and that figure doesn’t include the value of ERC20 tokens that are also be stored in the wallets.

From the proposal:

“This proposal is necessary because the Ethereum protocol does not allow the restoration of self-destructed contracts and there is no other simple way to enable the affected users and companies regaining access to their tokens and Ether. In opposite to previously discussed proposals, this will not change any EVM semantics and tries to achieve the goal of unfreezing the funds by a single state transition as specified in the next section.”

Since the Ethereum protocol does not currently allow the restoration of self-destructed contracts, the proposal would need to be activated through a hard fork. Schoedon suggested that it should be included in the list of EIPs implemented in Constantinople, Ethereum’s next planned hard fork.

However, despite precedent in the form of the DAO hard fork, previous proposals to recover the locked Parity funds have been met with resistance by the Ethereum community.

Featured Image from Pixabay

smartphone

Coinbase has acquired Cipher Browser, an ethereum wallet and Web 3 browser that allows mobile users to access decentralized applications (DApps) that run on the Ethereum blockchain.

The San Francisco-based cryptocurrency exchange and brokerage platform made the announcement on Friday, just weeks after revealing that it intended to work to ensure that its products were compatible with ERC20 tokens.

Coinbase already has its own mobile ethereum wallet and DApp browser, Toshi, which is available for both iOS and Android devices. In addition to letting mobile users access DApps like CryptoKitties, the app also has a built-in messaging system, which uses the Signal protocol to offer end-to-end encrypted chats.

Terms of the deal were not disclosed, but the company did reveal that Peter Kim, Cipher’s creator, would join Coinbase as Toshi’s new head of engineering and work to integrate many of Cipher’s features into Toshi.

One of those features will be support for testnets, which allow developers to test their apps in a sandbox that mimics real-world implementation without having to risk actual funds. The lack of testnet support in Toshi had been a sticking point for DApp developers.

That Kim will immediately transition to developing Toshi is not surprising, as Emilie Choi — Coinbase’s new vice president of corporate and business development — is a fan of “acqhiring,” a strategy whereby a firm buys out another company primarily for the staff and their expertise.

As BlockExplorer reported, Coinbase is also rumored to be in discussions to acquire Earn.com, a paid messaging platform that rewards users with cryptocurrency for replying to emails and completing other microtasks.

Coinbase also recently launched a venture capital fund, which will provide cryptocurrency startups with seed funding. The fund will open with $15 million, and the company said this number will grow along with Coinbase itself.

Featured Image from Pixabay