Important: If you had a Black Wallet account, do not try to sign in. Instead, please verify that you are the account balance through the Stellar Account Viewer, here.
In a statement sent today by its online source founder Stellar Wallet and Black Wallet claimed that it was hacked. Posting on Reddit, the orbit84 user has announced that a hacker has gained access to the host provider account and changed the DNS settings to its version hosted by BlackWallet. The attacker’s wallet, to which the author sent a link, seems to have accumulated around $ 400,000 worth of cryptocurrency Stellar, who saw that its market capitalization was applied almost three times in the last month.
Security Research Kevin Beaumont was able to identify a piece of code that checks if a user had more than 20 lumens and moved them to an address on their hardcoded wallet. The attack comes after a series of social engineering attacks targeting the growing cryptos market.
Exchange EtherDelta suffered a similar strike late last year, made by a DNS Hijacking. This assault was reported to be lower with the attacker receiving only 250,000 USD worth of ether.
Like the EtherDelta attack, the attacker seems to have washed the money in a Bittrex address, which probably changed it for other coins, and hidden the identity of the attacker.
How the Attack is Unfolded
The attack appears to have been a phishing attack for the BlackWallet Co-hosting provider. Although the poster declined to disclose more information declaring “I can not now disclose more information to prevent another hack” and promising to post more when it thinks it safe, a DNS look seems to have classified the host as 1and1 Hosting could not be reached immediately for explanations.
Although we can not fully verify what happened, Reddit and Twitter users along with the security research community seem to think they know what happened. The probability theorization is that someone who claims to own the site reached the hosting provider and via social engineering could enter the account. From there, it was easy to transfer DNS records to a site hosted by the attacker.
While it is clear to members of the community that the host is likely to blame here, BlackWallet’s developer made this attack much easier by opening his open invention, which is openly accessible on Github. Anyone with a small amount of technical knowledge can clone them and set up an instance to change their code as they wish.
Other anger users are 1 and 1, as opposed to a hosting provider, with stricter security measures for business customers such as AWS, Google Cloud Platform, or Microsoft Azure. 1 & 1 was also a target for angry users who lost money claiming that 1 & 1 would have had to do more in training in social engineering. The poster rejected these claims, asking users to “please do not spread rumors about 1 & 1”.
Frequent attacks like these have made it clear that some Web-Wallets are unsure and have led to the emergence of client-only wallets such as MyEtherWallet. These purses, while still vulnerable to a DNS hijacking attack, such as the one on the Black Wallet today, go so far as to force users to go through a slideshow detailing the prevention of scams phishing.
This type of presentation would probably have prevented some victims of the BlackWallet attack by instructing them to check the SSL certificate that would have helped identify the DNS hijacking attack.
Unfortunately, as the crypto price continues to rise, these attacks seem to be becoming more popular. Fortunately, the introduction of standard business security procedures for shifts and wallets will alleviate the damage that they can bring to the community. Coinbase, for example, has published a case study on cloud architecture and operational security practices inside AWS, a provider of industry-recognized secure hosts.