Back in late June, news of an interesting DNS hijack attack came out of the midst of the hot DEFI market, which highlighted the dangers of treating domain names and DNS as a utility, especially when operating in the crypto market. I mean $100’s of thousands in fake smart contract losses dangerous.
Specifically, there were reports by a few providers such as Convex Finance, Allbridge, Ribbon Finance and Defi Saver that their NameCheap DNS zone files were somehow changed without their permission. Although most were able to correct the issue before there were any losses, it was reported that two Ribbon Finance clients approved malicious smart contracts that resulted in the loss of 16.5 WBTC (Appx $350k USD at the time)
So far 4 #ethereum DeFi projects experienced a DNS hijack attack.@ConvexFinance @ribbonfinance @DeFiSaver and Allbridge.
They are all using @Namecheap and logged into their accounts to see DNS changed. So far namecheap has provided no explanation.@Namecheap this is serious pic.twitter.com/KD9w8GJAgp
— Lefteris Karapetsas | Hiring for @rotkiapp (@LefterisJP) June 24, 2022
On top of this, at least one of them reported that 2FA was enabled on the accounts with no evidence leading anyone to believe it was a systems or hardware issue. NameCheap was also quite slow and reluctant to release any details as to the cause. However, digging a little further we find a tweet from NameCheap CEO Richard Kirkendall buried within a thread on the subject that stated the attack was the result of a Customer Service rep being compromised.
We've traced this down to a specific CS agent that was either hacked or compromised somehow and have removed all access from this agent. This affected a few targeted domains but we will continue investigating.
— Richard Kirkendall (@NamecheapCEO) June 24, 2022
His basic surmise was that it was unavoidable, so NameCheap customers should subscribe to their Registry Lock service if they want additional protection for their domain names.
Usually we require a pin code from customer. We also monitor all actions as well a monitor a real time vip list. In the end our cs needs to be able to modify to help customers especially when 99% don't understand dns. If you want complete security use https://t.co/GUhgC2frw6
— Richard Kirkendall (@NamecheapCEO) June 24, 2022
How still allowing (even some) customer service agents access to make changes would prevent another similar zone file hijack escapes me. Domains and DNS should be considered the outer perimeter of every organization’s security infrastructure. And like any good protection strategy, your first line of defense should never be dismissed or taken lightly. Many breaches happen within this layer due to the lack of awareness and investment on the part of most online businesses. DomainSure hardens this layer at a fraction of the cost of building out a viable infrastructure on your own. This is done via a 4 pronged approach:
– Domain Hardening: Domain Lock, Pre-Renewal + Auto Renewal, Whois Privacy, and a never monetize guarantee
– Security Monitoring: RBL monitoring, Darkweb Scanning, DNS and Nameserver change notifications and much more
– Brand Defense: Phishing detection, UDRP Defense and Mitigation Takedown Services
– Commercial DNS: Top Tier Anycast DNS with DNSSEC provided by easyDNS
Now, let’s take a look at what we think might have happened. There are usually two primary ways a customer service rep can be compromised. Social Engineering attacks which are becoming more common these days and / or the more traditional software and systems hacks.
On the Social Networking side, DomainSure and our parent Registrar easyDNS has never had a Social Engineering attack successfully perpetrated in our 20+ years of history. We have a number of systems and checks in place to stringently vet anyone contacting our employees, and all have been trained on the threat and seriousness of sharing credentials with anyone both internal and external.
Another method of compromise is via systems, software, and hardware. We take great lengths to ensure all our systems and software are up to date, our hardware is the latest, and we have many layers of monitoring and protection to ensure any irregular behavior is immediately vetted by our Operations staff.
Other important ways this type of attack would be avoidable on our platform are DNS change notifications and Multi Stakeholder approval processes.
Whenever any zonefile changes are made, we immediately notify you making any potential compromise window as small as possible. On top of that, new features such as multi-stakeholder approvals require that any changes made to zones or nameservers require multiple designated contacts on an account to explicitly approve them before being implemented… even when made by staff.
So what should you do? Take advantage of a free domain portfolio analysis by one of our Domain and DNS security consultants. Simply fill out the quick form on our Domain Name Portfolio Quote page and someone will be in touch as soon as possible. We’ll provide a vulnerability analysis and show you how our service will not only exceed expectations in terms of protection level, but also save you significantly in terms of infrastructure costs and lost credibility through the avoidance of DNS Hijack attacks like what we’ve seen here.
Apply for a Domainsure Invite
Get a Free Domain Health Check
Due to high demand: allow up to 24 hours for report delivery.
[…] NameCheap Defi Customers attacked […]