Hackers impersonated eth.limo team to hijack its domain: Post-mortem

Ethereum Name Service gateway eth.limo has revealed that the domain hijacking connected Friday was caused by a societal engineering onslaught directed against EasyDNS, its domain sanction work provider. 

According to a postmortem published by eth.limo connected Saturday, an attacker impersonated 1 of its squad members to initiate an relationship betterment process with easyDNS, granting entree to the eth.limo relationship and allowing them to change domain settings.

“The NS records were changed and directed to Cloudflare… Once we understood that a DNS hijack had taken place, we instantly notified the assemblage arsenic good arsenic Vitalik Buterin and others. We past began contacting EasyDNS successful an effort to respond to the incident,” the institution said.

Eth.limo serves arsenic a Web2 bridge, providing entree to astir 2 cardinal decentralized websites utilizing the .eth domain name. Hijacking the work could let an attacker to redirect users to malicious websites. Ethereum co-founder Vitalik Buterin warned users Friday to debar his blog until the incidental was resolved.

Mark Jeftovic, CEO of easyDNS, has publically accepted work for the incidental successful its ain postmortem report. 

“We screwed up and we ain it,” said Jeftovic connected Saturday. 

“This would people the archetypal palmy societal engineering onslaught against an easyDNS lawsuit successful our 28-year history. There person been countless attempts.”  

Both companies person pointed to the Domain Name System Security Extension (DNSSEC) successful thwarting the hacker’s attempts to bash further damage. 

The attacker couldn’t nutrient valid cryptographic signatures, truthful Domain Name System resolvers rejected the attacker’s forged DNS responses, causing users to spot mistake messages alternatively of being redirected to malicious sites. 

“DNSSEC was enabled for their domain erstwhile the attackers attempted to flip their nameservers, presumably to effect immoderate mode of phishing oregon malware injection attack, DNSSEC-aware resolvers, which astir are these days, began dropping queries,” Jeftovic said. 

Source: eth.limo

In its postmortem, eth.limo noted that due to the fact that the attacker lacked the signing keys, they were incapable to bypass the safeguards, which apt “reduced the blast radius of the hijack. We are not alert of immoderate idiosyncratic interaction astatine this time. We volition supply updates if that changes.”

easyDNS makes changes since the attack

Jeftovic described the social engineering attack arsenic “highly sophisticated,” and said easyDNS is inactive conducting a post-mortem connected however the breach occurred, and has already begun rolling retired changes to forestall a recurrence.

Source: easyDNS

“In eth.limo’s case, we volition beryllium migrating them to Domainsure, which has a information posture much suited toward endeavor and high-value fintech domains, TLDR determination is nary mechanics for an relationship betterment connected Domainsure, it’s not a thing,” helium added.

“On behalf of everyone here, I apologize to the eth.limo squad and the wider Ethereum community. ENS has ever had a peculiar spot successful our bosom arsenic the archetypal registrar to alteration ENS linking to web2 domains and we’ve been progressive successful the abstraction since 2017.”

Related: RaveDAO denies manipulation arsenic Binance, Bitget probe RAVE trading activity

The eth.limo incidental is the latest successful a bid of domain hijackings targeting crypto projects. Days earlier, decentralized speech aggregator CoW Swap lost power of its website aft an unknown enactment hijacked its domain. 

Steakhouse Financial, a DeFi advisory and probe firm, likewise disclosed astatine the extremity of March that it had mislaid power of its domain to an attacker.

Magazine: Will the CLARITY Act beryllium bully — oregon atrocious — for DeFi?