Today, the popular WEB Wallet MyEtherWallet.com suffered the first large-scale man-in-the-middle attack on WEB Wallets. The attack time was only 2 hours, but in that time, a total of more than $150,000 worth of ether was stolen.
We believe that this attack was just an experiment to verify the possibility of using BGP attacks to attack blockchain WEB wallets. Obviously, this attack succeeded, therefore verifying the feasibility of this model.
The man-in-the-middle attack is the most traditional attack method in the history of the Internet. In this middleman attack on MyEtherWallet.com, even if the Chrome browser warned that the SSL certificate is invalid (Figure 1), most users would have ignored the message and continued to use the fraudulent MyEtherWallet.com website, thus enabling malicious actors to seize their assets for themselves.
As we pointed out in our white paper on
, users of SPV (Simple Payment Verification) wallets should be paying attention to the security of network transmissions, especially in terms of whether they have the capacity to fight against and prevent man-in-the-middle attacks.
In an official statement, MyEtherWallet.com did confirm that several of its users had been targeted in the phishing scheme. However, instead of taking responsibility for the attack, the official advice given was to ask the user to be responsible for the security of his or her wallet - essentially giving up their role as the protector of the user’s assets (Figure 2).
If users are now to be responsible for their own assets, they have to be prepared. We recommend that people take one of two actions:
- If you encounter an SSL error when accessing a digital asset website, suspend it immediately and send it back to the website operator.
- Or, use the Cheetah Mobile SafeWallet product. SafeWallet fully considers the defense capabilities for security and is designed to withstand the potential of being attacked by middlemen, and fully protect the security of user assets.
With SafeWallet, security is a core feature. First, there is no risk of the web wallet URL being phished; secondly, SafeWallet includes the AV-Test certified Antivirus Engine, security environment detection engine, malicious address detection engine and other security features that ensure the security of the user's wallet.
In addition, SafeWallet supports multiple coins including Bitcoin, Ethereum and ERC20 Tokens, and has an easy-to-use UI.
For Android User:
For iPhone User: