Two Cryptocurrency Portals Registered With Godaddy Experienced A DNS Hijack At The Same Time

Two Cryptocurrency Portals Registered With Godaddy Experienced DNS Hijacks Simultaneously

Two cryptocurrency portals, Cream Finance and PancakeSwap, found their DNSes hijacked in the last couple of days. Their websites redirect visitors to fake pages that try to phish out seed phrases and private keys from visitors which will allow attackers to access the user wallets and steal funds. 

The hacks have been confirmed by both companies in messages posted on their official Twitter profiles.

Both services have now regained ownership of their domains.

The two incidents are believed to be the work of one individual or group, as DNS records for both websites were changed within a minute of each other.

Image: Douglas Mun

Once the DNS records were pointed to the attacker’s IP addresses, visitors were redirected to phishing sites where they were prompted by pop-ups to provide their seed phrases and private keys.

By getting their hands on these credentials attackers can access customer cryptocurrency wallets and make transactions to steal their funds.

Users are advised to not enter seed phrases when navigating to the companies’ websites and logging into accounts.

Right now, the crypto companies regained ownership of their DNS addresses. Yet, the servers used by attackers are still live, and users with stale DNS might still visit them.

It is unclear how attackers managed to modify DNS records for both websites, but as security researcher MalwareHunterTeam pointed out, both companies managed their DNS records via web hosting company GoDaddy.

The most likely scenario is that attackers have compromised a GoDaddy employee’s account to change DNS server records and execute the attack. Or maybe GoDaddy’s customer support representative has made those DNS changes. 

Phishing attacks targeting web hosting accounts have spiked in 2019, when FireEye reported a global DNS hijacking campaign by an Iranian state-sponsored hacking group. 

Similar attacks on GoDaddy happened in March and November 2020. Bad actors conducted a phishing attack against GoDaddy employees and collected their work credentials and then modified DNS records for multiple cryptocurrency and domain hosting-related sites like Escrow.com, Liquid.com, NiceHash.com, Bibox.com, Wirex.app, and Celsius.network.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: