On 4/24/2018 1:35 PM, Fredrik Korsbäck wrote:
Surprised this hasnt "made the news" over at this list yet.
In the old days, the list membership would have noticed the hijack. BGP hijacks used to be a somewhat popular topic, but like spammer chasing, I think everyone grew bored of it and the lack of things actually being done.
TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
Why did they use a self-signed cert? If you control the dns or the endpoint, you can easily get a signed cert. Given how lax people were at detecting this, they would have gotten further if people hadn't been complaining about the cert notification. Jack