Key takeaways
On Wednesday, November 1, Frax Finance domains were hijacked following a DNS attack. Fortunately, there have been no reports of loss of user funds.
Domain Name System (DNS) attacks are launched by malicious actors who attempt to take over domains and redirect Internet users attempting to visit legitimate websites to malicious sites under their control.
DNS attacks are becoming more and more frequent and worrying in the cryptocurrency space, and the past year has seen an increase in these types of incidents.
On November 1, the domains of the cryptocurrency lending platform Frax Finance were hijacked by attackers who attempted to take over and redirect their traffic to malicious domains. Fortunately, the project team quickly regained control of these areas, and user funds were not put at risk.
Attacks similar to these, called “DNS attacks,” are becoming increasingly common and concerning in the cryptocurrency space. Given the entirely digital existence of the sector and the flows of capital that circulate within it, hackers who manage to exploit security vulnerabilities can win big. To ensure the safety of funds, it is imperative to inform users and project developers about the latest scam tactics and risk control measures.
This article presents the recent hack suffered by Frax Finance as well as the lessons to be learned from this incident, and details DNS attacks and explains how to anticipate them.
What is a DNS server?
First, let's see how a DNS server works. It is one of the main tools for people to easily browse the Internet. DNS servers translate domain names into numeric Internet Protocol (IP) addresses that represent their location on the Internet.
As soon as a user enters a domain name, such as “www.binance.com,” their device sends a query to a DNS server to ask for the IP address. Typically, this request goes through several DNS servers until reaching the corresponding address.
Think of the Internet as a gigantic, highly complex highway system, where each road leads to a separate website. On these roads, DNS servers act as traffic police, directing cars in the right direction. Browsing the Internet without a DNS server would be a bit like driving in a foreign country without a map, GPS, or road sign: it's impossible not to get lost along the way.
DNS attacks
DNS servers are built on trust. We trust the system to take us to the right website. Convinced that we are on a protected site, we enter sensitive information, including our login credentials, our personal information, and even our banking details. What would happen if one of these servers was compromised by someone with malicious intent?
A DNS attack occurs when a malicious actor attempts to hijack you from the legitimate website you want to access and redirect you to a fake site they control. To use the highway metaphor above, it's like someone changing the road signs to take you to a thief's home instead of taking you home.
DNS attacks can take place in a variety of ways and employ a variety of methods and techniques, typically to disrupt services or steal sensitive information. The two most common DNS attack techniques are cache poisoning and domain hijacking. In cache poisoning, the attacker transmits false information to a DNS server in an attempt to redirect traffic from a legitimate website to a malicious site they control. In the case of domain hijacking, the criminal takes control of the domain itself without the authorization of its rightful owner.
The Frax Finance case
As part of the recent attack on Frax Finance, hackers attempted to take over the domains “frax.com” and “frax.finance”. When it learned of the attack, the project team quickly informed its community on X (formerly Twitter) and advised Internet users not to access the compromised domains.
She also contacted her DNS provider (Name.com) who quickly regained control of the domains and rerouted them to the correct nameservers and configurations. Although the investigation into the root cause of the incident is still ongoing, no loss of user funds has been reported.
SSL certificate incompatibility
A Secure Sockets Layer (SSL) certificate is a website's digital passport and is a crucial cybersecurity tool. Just like a passport confirms your identity while you travel, an SSL certificate confirms that of a website on your computer. SSL certificates also ensure that information exchanged between a computer and a website is encrypted so that it cannot be read by anyone else, a feature that is particularly important for sensitive information like login credentials.
A compromised DNS server tries to redirect users to another website, causing an SSL certificate mismatch to effectively alert users of a problem on the site. Here is an example.
A concrete example
Let's assume the existence of an original domain named "binancedefiapp.com", hosted on a server with the IP address 192.168.0.1. This DNS server has been compromised: a malicious actor changed the DNS data so that "binancedefiapp.com" is now hosted at IP address 192.168.2.2, where the attacker has uploaded their own malicious version of the site Original web. However, he needs an SSL certificate to give the illusion that his website is secure.
If the connection to the website is insecure and returns a Hypertext Transfer Protocol (HTTP) address rather than a Hypertext Transfer Protocol Secure (HTTPS) address, usually indicated by a green padlock in the browser's address bar (or similar icon), this should arouse the suspicion of site visitors.
The attacker is unable to obtain an SSL certificate for the domain “binancedefiapp.com” because only one DNS server is compromised. To generate a valid certificate for a specific domain, he must prove to a third-party issuer that he is the owner of this domain: but this is impossible for him, because the hacker only has one DNS server. In this case, any existing certificate will not correspond to the host name, because the attacker will have to keep the certificate issued for another domain. When an Internet user accesses such a website, their browser is able to recognize whether the certificate is issued for the domain currently viewed or not. If it detects an incompatibility, it generates the following error:
If this message appears, it is best not to continue to the website in question.
Internal and external DNS servers
There are several DNS servers on the Internet; it is therefore not possible to poison them all. Internal DNS servers, for example, operating within a closed internal environment (a corporate network or a custom DNS server) are easier targets than public DNS servers, such as Google's open resolvers.
Even if Google's DNS servers are also at risk of poisoning, the probability of this happening remains relatively low, and if they were still to be affected, it is certain that the teams would react and alert Internet users very quickly. promptly. In contrast, standalone or custom DNS servers are often less closely monitored and less secure. It is generally recommended to resolve IP addresses using Google's public resolvers or other trusted, publicly available providers.
How to protect yourself from DNS attacks?
DNS security risks generally fall into two broad categories: infection of end-user devices and hacking of DNS servers. The advice to avoid becoming a victim varies depending on whether it is one case or the other.
If the end user's device is compromised:
The end user's device is controlled or infected by an attacker, who poisons the DNS cache or hijacks the domain. Here is what the end user can do in this scenario:
Do not click on suspicious links or install software or browser plug-ins from unknown sources.
Do not use public Wi-Fi networks with uncertain security credentials.
Clear the DNS cache regularly.
Run regular scans to detect the presence of malware on devices.
Unfortunately, it is at the customer or end user where the majority of problems arise, and project developers have no way to permanently eradicate these dangers. The project team is only very rarely aware of the infection of its client's DNS, and apart from setting up subsequent complaint channels for clients, it can only proactively inform users about these threat.
If the DNS server is compromised:
A hacker exploits security vulnerabilities or employs social engineering tactics to take control of DNS servers, often resulting in changes to DNS records. Here is what the end user can do in this scenario:
Check that the domain name of the website it is accessing is spelled correctly.
Make sure the site uses the HTTPS protocol and that the browser does not display any security warnings.
Before performing sensitive operations (for example, entering a password or mnemonic phrase), double-check the validity of the website certificate.
Install browser security extensions from reputable security companies that detect website anomalies and provide alerts when users make a very high number of approvals or transfers to extremely risky wallets.
Here is what the project developer can do in this scenario:
Opt for reliable and reputable domain providers, and create a team dedicated to monitoring and quickly resolving domain-related anomaly alerts.
Implement automated monitoring systems to quickly detect anomalies or malicious scripts and elements in the domain's DNS resolution results pages.
It is essential to understand and correct potential vulnerabilities in DNS management. By adopting the recommended measures, users and project teams can better protect themselves from DNS-related security weaknesses.
Protect your servers
DNS attacks unfortunately constitute a very real threat in an emerging sector such as crypto, and are now becoming more and more frequent. The damage they are capable of causing can be devastating and put user funds at risk.
Last year, Curve Finance suffered a DNS attack that resulted in the theft of over $570,000 in ETH from user wallets. Fortunately, Binance’s investigations team was able to help recover the majority of the stolen funds. More recently, large-scale DNS attacks were launched on the Balancer and Galxe protocols in September and October respectively.
In order for the crypto universe to develop sustainably, our sector must prioritize building a secure ecosystem. We hope that project developers and users can learn from this article and understand why it is so important to guard against DNS attacks. Together we can build a safer ecosystem to secure the future of cryptos.
For more information
The Most Common Crypto Scams in 2023 and How to Avoid Them
The Complete Guide to the Most Common Crypto Scams
Secure Your Binance Account in Seven Simple Steps
