You may have been so wrapped up in this weeks biggest news stories: A truce among the Koreas, the cat that took over JFK, the teacher walkouts in Colorado and Arizona, the Kanye/Trump lovefest, Shaquem Griffin becoming the first one-handed player to be drafted in modern era of the NFL, the blockbuster release (as if there were any doubt) of Avengers Infinity War... that you missed the slight disturbance at the world's retail Mecca on Tuesday, April 24. We of course are talking about the undetected hijacking of the most-beloved non-store store in the world (and maybe even the cosmos? We'll have to ask Thanos next time we see him), Amazon.
The attack, which lasted about two hours, redirected a portion of Amazon.com's traffic, approximately 1300 IP addresses, to a malicious version of MyEtherWallet in an attempt to siphon cryptocurrency from unsuspecting customers who thought they were logging in to their own cryptocurrency wallets. According to Ars Technica, via Digital Trends, the wallet into which the stolen cryptocurrency was being deposited, already contained almost $27 million worth of cryptocurrency.
Speculation has already begun that the attack likely could have been state-sponsored by Russia, as traffic was redirected through a server hosted in Russia, which was also using a fake certificate. Even though only a relatively small amount of cryptocurrency was stolen in this instance, it is believed similar attacks were also committed by the same group(s) in 2013, as all the attacks used the same border gateway patrol exploit. It is also being speculated that this week's attack was part of a bigger system, with the Amazon branch being the only one that was noticed.
Mounting an attack of this scale requires access to BGP routers are major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access.
- Kevin Beaumont, Security Researcher