Friday’s eth.limo hack caused by social engineering on EasyDNS
Ethereum name service gateway eth.limo said Friday's domain hack was the result of a social engineering attack on domain name service provider EasyDNS.
According to a postmortem published by eth.limo on Saturday, an attacker impersonated one of their team members and started an account recovery process with SimpleDNS, giving them access to eth.limo accounts and allowing them to change domain settings.
“The NS records were changed and directed to Cloudflare… Once we found out about the DNS hack, we immediately notified the community as well as Vitalik Buterin and others. We then started contacting EasyDNS to respond to the incident,” the company said.
Eth.limo acts as a Web2 bridge, serving nearly 2 million decentralized websites using the .eth domain. Hacking the service allows an attacker to redirect users to malicious websites. Ethereum founder Vitalik Buterin warned users to avoid his blog on Friday until the incident is resolved.
EasyDNS CEO Mark Jeftovich publicly accepted responsibility for the incident in his own postmortem.
“We're broke and we're on our own,” Jeftovic said on Saturday.
This marks the first successful social engineering attack against a simple DNS client in our 28-year history. There were countless attempts.
Both companies point to Domain Name System Security Extensions (DNSSEC) to thwart a hacker's efforts to do more damage.
The attacker was unable to generate valid cryptographic signatures, so domain name system lookups rejected the attacker's spoofed DNS responses, causing users to see error messages instead of being redirected to malicious sites.
“DNSSEC-aware resolvers, most of these days, start dropping queries when the attackers try to hijack their nameservers with DNSSEC enabled for their domain, perhaps doing some phishing or malware injection attack,” Jeftovic said.
In its post, eth.limo noted that the attacker was unable to bypass defenses because he lacked the signing keys, which likely “reduced the radius of the hacking blast. We are currently unaware of any user impact. We will provide updates if that changes.”
EasyDNS makes changes after the attack
Jeftovic described the social engineering attack as “very sophisticated” and said EasyDNS is conducting a post-mortem investigation into how the breach occurred and is already making changes to prevent it from happening again.
“In the case of eth.limo, we migrate them to Domainsure, which has a security posture more suited to corporate and high-value fintech domains. TLDR There is no account recovery mechanism on Domainsure, nothing,” he said.
“On behalf of everyone here, I apologize to the eth.limo team and the wider Ethereum community. ENS has always had a special place in our hearts as the first registrar to connect ENS to Web 2 domains and we have been involved in the space since 2017.”
Related: RaveDAO Like Binance, Bitget Probe Denies RAVE Trading Fraud
The eth.limo incident is the latest in a series of domain hacks targeting crypto projects. Days ago, decentralized exchange aggregator CoW Swap lost control of its website after an unknown party hacked its domain.
Stackhouse Financial, a DeFi consulting and research firm, similarly revealed that it had taken control of the domain for an attacker in late March.
Magazine: Is the CLARITY Act good – or bad – for DeFi?
