Cryptocurrency wallets and exchanges are attractive targets for hackers. When Willie Sutton, a notorious 20th century bank robber was asked why he robbed banks, he reportedly answered “Because that’s where the money is.” The same apparently holds true for today’s thieves who go after cryptocurrency. Aside from being where the money is, the advantages of going after cryptocurrency are the low likelihood of getting caught and lack of traceability of the proceeds. Once the money is taken, it’s gone.
In April we blogged about an attack on MyEtherWallet. This was a sophisticated attack combining both BGP hijacking and DNS man-in-the-middle that directed myetherwallet users to a bogus, phishing website. Something similar has happened again, this time to users of trezor.io – another cryptocurrency wallet https://blog.trezor.io/psa-phishing-alert-fake-trezor-wallet-website-3bcfdfc3eced
What’s interesting about this incident is the method the attackers used has not been positively identified. It is known that a phishing website masquerading as trezor.io was set up to induce users to reveal their credentials. What is not known is how exactly users had their requests directed to the bogus site. It is surmised that BGP hijacking and/or DNS was used. This highlights the fact that such attacks (particularly DNS cache poisoning and man-in-the-middle) can easily take place without triggering any security alerts or log events. The result of such an attack gets noticed but not the attack Itself. A much better defense is to prevent such attacks from happening, rather than responding after they take place.
Many websites rely on SSL certs for that preventive layer. But SSL certs don’t actually stop the phishing attacks - they alert the user that such an attack might be taking place (cert validation failures are often not a result of phishing). Users need to heed the pop-up warning but not all users do so. Although a necessary security measure, certs are not truly preventive of this type of attack.
DNSSEC is a true preventive measure. It prevents the DNS system from being misused to send users to bogus sites. Like all things security – it is not a 100% solution. But it is a critical element for closing a particularly attractive attack vector that hackers seem to be using more and more often. For more information about DNSSEC and DNS security check out the following resources on our website.