Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.

[Jack Bates <jbates () paradoxnetworks net>]

On 4/24/2018 1:35 PM, Fredrik Korsbäck wrote:
> Surprised this hasnt "made the news" over at this list yet.
In the old days, the list membership would have noticed the hijack. BGP 
hijacks used to be a somewhat popular topic, but like spammer chasing, I 
think everyone grew bored of it and the lack of things actually being done.

> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
Why did they use a self-signed cert? If you control the dns or the 
endpoint, you can easily get a signed cert. Given how lax people were at 
detecting this, they would have gotten further if people hadn't been 
complaining about the cert notification.

Jack