DeFi platforms PancakeSwap and Cream Finance cautioned clients on Monday that they were hit by domain name system (DNS) hijackings. The strong alerts were given via social media in an offer to hold clients back from succumbing to dual schemes to collect private keys or seed phrases from would-be victims. Such data obtained by this sort of phishing plan would then permit a hacker to then steal funds from affected users.
As of press time, PancakeSwap has said that it has recovered admittance to its DNS. Cream Finance seemed, by all accounts, to be currently looking for DNS access, guiding clients to an alternative address in the meantime. A DNS hijacking permits an attacker to introduce a false web portal to visiting users, regularly aimed toward gathering individual data - for this situation, the private keys needed to steal their funds. The U.S. government and private security firms have given alerts as of late about such assaults, as noted in a 2019 report by Krebs on Security.
Exact technical details regarding how attackers figured out how to modify DNS records for the two sites are still shrouded in mystery, but as security researcher MalwareHunterTeam brought up recently, the two organizations dealt with their DNS records through web facilitating organization GoDaddy. While there is the likelihood that the attackers compromised web hosting accounts for both companies in separate incidents, there is likewise the likelihood that attackers may have compromised a GoDaddy employee’s account to change DNS server records and execute the attack.
The latter scenario happened twice before last year, in March and November 2020, with assailants executing a phishing assault against GoDaddy employees to gather their work credentials and afterward utilize official GoDaddy accounts to alter DNS records for multiple cryptocurrencies and domain hosting-related sites. Casualties of the past assaults incorporated any semblance of Escrow.com, Liquid.com, NiceHash.com, Bibox.com, Celsius. network, and Wirex.app. Phishing assaults focusing on web facilitating accounts have become common since the beginning of 2019 when FireEye uncovered an Iranian state-sponsored hacking group behind a global DNS hijacking campaign.
The campaign included the Iranian hackers phishing their targets for web facilitating related accounts and afterward utilizing a DNS hijack attack to divert traffic for email servers through infrastructure constrained by the attackers, permitting them to phish employees and read their emails.
