Aloha. Surprised this hasnt "made the news" over at this list yet.
https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44RM/Yqk5GHSpCQAJ https://twitter.com/barton_paul/status/988788348272734217 TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/) I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939) that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the problem in almost all recent hijacks. Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help here) to track how big the propagation was? Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift transfers without having actual access to the real site (for good ....and bad). -- hugge @ 2603
