Ethereum Name Service gateway eth.limo revealed that Friday’s domain hijacking was caused by a social engineering attack against EasyDNS, a domain name service provider.
According to the autopsy published by eth.limo on Saturday, an attacker impersonated one of its team members to initiate the account recovery process on easyDNS, providing access to the eth.limo account and allowing him to change domain settings.
“NS records were changed and directed to Cloudflare… Once we understood that a DNS hijack had occurred, we immediately notified the community, as well as Vitalik Buterin and others. We then began contacting EasyDNS in an attempt to respond to the incident,” the company said.
Eth.limo serves as a Web2 bridge, providing access to approximately 2 million decentralized websites using the .eth domain name. Service hijacking could allow an attacker to redirect users to malicious websites. Ethereum co-founder Vitalik Buterin warned users on Friday avoided his blog until the incident was resolved.
Mark Jeftovic, CEO of easyDNS, has spoken publicly adopted responsibility for the incident in its own autopsy report.
“We screwed up and we’re done with it,” Jeftovic said on Saturday.
“This would mark the first successful social engineering attack on an easyDNS client in our 28-year history. There have been countless attempts.”
Both companies pointed to the Domain Name System Security Extension (DNSSEC) to thwart hackers’ attempts to cause further damage.
The attacker was unable to generate valid cryptographic signatures, so the domain name resolvers rejected the attacker’s spoofed DNS responses, causing users to see error messages instead of being redirected to malicious sites.
“They had DNSSEC enabled on their domain when attackers tried to change their name servers, possibly to commit a phishing attack or malware injection. DNSSEC-enabled resolvers, most of them now, started dropping queries,” Jeftovic said.
In its post-mortem, eth.limo noted that the attacker did not have the signing keys and was unable to bypass security, which likely “reduced the hijack’s blast radius. We are not aware of any impact to the user at this time. We will provide updates if this changes.”
easyDNS has been making changes since the attack
Jeftovic described the social engineering attack as “highly sophisticated” and said easyDNS was still conducting a post-mortem to determine how the breach occurred and had already started making changes to prevent it from happening again.
“For eth.limo, we will be migrating them to Domainsure, which has a level of security more suitable for high-value enterprise and fintech domains. TLDR does not have an account recovery mechanism with Domainsure, so that is not an option,” he added.
“On behalf of everyone here, I apologize to the eth.limo team and the broader Ethereum community. ENS has always held a special place in our hearts as the first registrar to enable ENS to connect to web2 domains, and we have been involved in this space since 2017.”
Related: RaveDAO denies manipulation as Binance and Bitget investigate RAVE’s trading activities
The eth.limo incident is the latest in a series of domain takeovers targeting crypto projects. A few days earlier, decentralized exchange aggregator CoW Swap lost control of its website after an unknown party took over its domain.
So does Steakhouse Financial, a DeFi advisory and research firm revealed in delayed March that it lost control of its domain to an attacker.
Warehouse: Will the CLARITY Act be good – or bad – for DeFi?
