Rob Behnke
March 17th, 2021
DNS is the “address book of the Internet.” It translates human-readable domain names (like Halborn.com) to the IP addresses used by computers for routing network traffic (like 127.0.0.1).
DNS infrastructure is organized as a hierarchy of DNS servers. Each server in the hierarchy will respond to requests for the IP addresses associated with a particular domain name, allowing a user to find any domain on the Internet with knowledge of only a single top-level DNS server.
DNS hijacking occurs when the records stored on DNS servers are compromised by an attacker. If an attacker can replace a legitimate DNS record with one containing their IP address, any future DNS lookups will result in the visitor going to the wrong site.
On March 15, 2021, Cream and Pancakeswap reported that their websites were victims of a DNS hijacking attack. The attacker managed to corrupt their DNS records hosted by GoDaddy to point them to an attacker-controlled server.
This enabled the attacker to direct visitors to modified versions of these sites. The attacker changed the sites to include a request that the user enter their seed phrase to connect a digital wallet to the site.
A seed phrase is a mnemonic designed to make it easier to remember the private key associated with a user’s blockchain account. Entering it into the compromised site would allow the attacker to gain full control of the account and steal all of the money that it contains. Users should never enter seed phrases on either site.
DNS hijacking can occur in a few different ways. Depending on the technique used, different mitigations (such as the use of DNSSEC) are a good way to protect against this type of attack.
In this case, it is likely that Cream and Pancakeswap’s accounts were compromised at GoDaddy. This allowed the attacker to modify the DNS records associated with the websites, which would cause the malicious record to be distributed throughout the DNS infrastructure.
For these types of attacks, taking advantage of access control mechanisms with DNS providers is critical. GoDaddy offers multi-factor authentication (MFA) and advanced protection plans to help block account takeover and domain hijacking attacks.
Website security is a critical component of blockchain security. For help in ensuring the security of your site against domain hijacking and similar attacks, contact Halborn at halborn@protonmail.com.