In a significant breach impacting decentralised finance (DeFi) protocols, a recent DNS hijacking attack has raised serious concerns about security within the industry.
The attack targeted DNS records hosted on Squarespace, redirecting them to malicious IP addresses associated with known cybercriminal activities.
Notable Ethereum-based DeFi protocols such as Compound and multi-chain interoperability protocol Celer Network were affected.
Their respective front-ends redirected users to phishing pages that drained funds from connected wallets.
The co-founder and CEO of blockchain security firm Blockaid, Ido Ben-Natan, highlighted the scope of the attack, noting that around 228 DeFi protocol front ends remain at risk.
Ben-Natan identified the attackers as part of the Inferno Drainer group. They are known for using a sophisticated wallet kit that tricks users into signing transactions that transfer their digital assets to the attackers.
This malicious kit often employs phishing websites or compromised domains to execute these thefts.
Impacts and vulnerabilities
The severity of the attack has been exacerbated by the recent migration of domain registrations from Google Domains to Squarespace.
On 15 June 2023, Google finalised an agreement with Squarespace to transfer all domain registrations and associated customer accounts.
The co-founder of CoinGecko, Bobby Ong, pointed out that this migration inadvertently removed two-factor authentication from many accounts, significantly increasing their vulnerability to attacks.
Ong reported a fresh DNS attack against Squarespace’s domain registrar, causing multiple domains to be compromised.
He advised users to refrain from interacting with cryptocurrency platforms until the issue is fully resolved.
According to Ong, the forced migration has left many accounts exposed, making them easier targets for cybercriminals.
Google confirmed that while the transition to Squarespace is complete, it will not instantly affect Google Domains accounts.
Users can still manage their existing domains via Google Domains until the actual migration to Squarespace takes place, which may take a few months.
This delay provides a crucial window for users to enhance their security measures and prepare for the transition.
The founder of Unstoppable Domains, Matthew Gould, proposed a robust solution to mitigate such risks. He suggested creating verified on-chain records for domains to add an extra layer of protection.
This proposal includes a feature requiring a signature from the user’s wallet for DNS updates.
By implementing this measure, it would become significantly more difficult for hackers to alter DNS records without breaching both the registrar and the user.
Community response and future measures
The DeFi community is actively working together to address the ongoing vulnerabilities highlighted by this attack.
Ben-Natan emphasised that Blockaid is tracking the addresses associated with the attackers and collaborating with the community to report compromised sites.
The shared infrastructure used by Inferno Drainer, including onchain wallet and smart contract addresses as well as offchain IP addresses and domains, facilitates the identification and tracking of related attacks.
The Inferno Drainer group’s wallet kit operates by prompting users to sign malicious transactions, which then transfer control of their digital assets to the attackers.
Once the transaction is signed, the kit swiftly moves the funds from the victim’s wallet to the attacker’s address.
The group has been active for some time, targeting various DeFi protocols and exploiting different vulnerabilities. Their use of shared infrastructure makes it easier for security firms to track and identify related attacks.
Gould’s proposal for creating verified onchain records for domains aims to offer an additional layer of protection. DNS records could be configured not to update unless a verified onchain signature is provided.
At present, changing DNS records for Web3 domains requires a signature for verification before any updates can be made.
Gould suggested that a new feature could be added where DNS updates need a signature from the user’s wallet, making it much harder for hackers because they would need to hack both the registrar and the user separately.
The attack underscores the need for enhanced security protocols and proactive strategies within the DeFi space.
While the full extent of the hijack is not yet known, the recent DNS hijacking attack has exposed significant vulnerabilities within DeFi protocols.