Sophos Cloud Optix
On the evening of June 29 (ET), users of Classic Ether Wallet were alerted to the sort of news anyone who invests in cryptocurrencies must dread.
It’s not clear who first noticed that something was awry with the the wallet’s classicetherwallet.com domain, but Twitter was soon spewing warnings. By the early hours of the following morning, the Ethereum Classic cryptocurrency feed offered this confirmation that something unusual was up:
*Warning* We have reason to believe https://ClassicEtherWallet.com has been hijacked. Do not use!!
By the time Cloudflare started warning visitors to the domain about a phishing attack, the news started to sink in: an attacker had taken control of the domain, which meant that anyone using accounts on it to store Ethereum Classic (ETC) currency in it (1 ETC = roughly $18) from the moment of the takeover would potentially have had them pilfered.
With panic setting in, and no quick way to take back the hijacked domain or have it blacklisted until Cloudflare stepped in, some users reportedly even suggested launching a defensive DDoS attack on it to render it unreachable.
Comments on a Reddit thread suggest that hundreds of users might have lost currency worth several hundred thousand dollars, with the attacker manually transferring sums out in small batches. Addresses and keys deposited before the attack were said to be safe.
How on earth did it come to this?
Hackers successfully targeting cryptocurrency wallets used to store virtual currency in supposed safety is far from a new phenomenon. What grabs the attention with this attack – and will doubtless lead to soul-searching – is the relatively simple weakness exploited to pull it off.
For background, Ethereum is actually two currencies: plain Ethereum (ETH) and the Ethereum Classic involved in this incident. How Ethereum came to fork this way is a rather involved story connected to a hack of the currency’s Decentralized Autonomous Organization (DAO) crowdfunding initiative in 2016, which readers can read up on from a number of sources.
Suffice it say that Classic Ether Wallet is not the only wallet for ETC, but it a popular choice on the back of its ease of use – it even offers a Chrome browser extension, for example.
When it was set up last year, its admins seem to have overlooked setting a registry lock (basically more verification and time delay before changes can be made to a domain), which must have been noticed by the attacker.
It has been claimed (although not confirmed) that the attacker simply phoned up the German company looking after the domain and had them point it at a new rogue domain impersonating the real site.
If you were being kind to the admins you might describe this as the ultimate phishing attack, but that would imply that the users were somehow at fault when they clearly weren’t. As far as they were concerned, they were logging into the correct domain.
The infuriating thing is that this sort of lateral attack that skirts security by attacking weaknesses in authentication (ie, who and how a top-level domain ends up pointing at the real server hosting it) has been used against domain owners before.
In 2013, the Syrian Electronic Army (SEA) pulled off a thematically related coup by using a hacked reseller account to alter the DNS records for a swathe of famous domains, including the New York Times, The Huffington Post and The Times. The same MO last year allowed attackers to take over numerous domains associated with a Brazilian bank.
These were much more serious attacks than the one on Classic Ether Wallet albeit that they didn’t involve individuals losing money. The lesson remains the same: why should hackers batter down the front gate when the side entrance is wide open?
For what it’s worth, the SSL certificate would have been wrong for the new server. It may have also been legitimate (I.E. For the correct domain), but it would have had a different thumbprint. I’m not suggesting even the most paranoid of users would have noticed the thumbprint change, but setting HPKP could have avoided it.
It would although that doesn’t mean the site didn’t appear to have a legit certificate of its own. It’s possible you’d have had to look closely to tell the difference.
Users didn’t get their wallets hacked. The headline is either unintentionally inaccurate or clickbait. It’s new tech so maybe just unintentional.
Hacking users’ wallets would require a vulnerability in ETC, which would be pretty big news. What really happened is that ClassicEtherWallet.com had its wallet hacked, which is to be expected. How many organizations would you trust to safely secure hundreds of thousands or millions of dollars? Just some random dudes with no experience? If it’s not your wallet, it’s not your money.
The headline doesn’t say the wallets were hacked. It says that some users found their wallets emptied. Which is what happened.
Unless I’ve misunderstood, it wasn’t CEW’s wallet that was hacked, instead, they managed to redirect the domain to a different IP address.
They had no access to either the software or hardware used to run the legit website. No data stored on the server was stolen or modifed. Instead, the hackers were able to mess with any data coming to or from ClassicEtherWallet.com, and collect any information since they took over.