Postmortem Report of DNS Hijacking

C.R.E.A.M.

Published in

C.R.E.A.M. Finance

3 min readMar 17, 2021

Intro

Hi C.R.E.A.M community! Firstly we want to thank the community for all of their support while we worked to fix the DNS hijacking issue. Want to assure you all that all funds are safe, and we have regained control over our DNS! We could not have done it without the support of our community and partners.

We want to be as transparent as possible, so let us give you a rundown on what exactly happened:

What Happened?

On March 15, C.R.E.A.M. Finance encountered DNS hijacking. Our GoDaddy account was compromised, redirecting users to a phishing page.

After taking immediate actions to deal with the crisis, we reclaimed the ownership of our domain in a few hours.

Timeline

(in Taipei time, UTC +8)

3/15, 7:30 pm: The website was down; users reported website outage.
3/15, 7:34 pm: GoDaddy DNS CNAME record not pointing to our hosting IP, consistent with the website outage.
3/15, 7:35 pm: Updated DNS A record to the correct IP; Began root cause analysis. Noticed the phishing page for the first time.
3/15, 7:43 pm: Noticed DNS cache pollution, consistent with user reports; Began DNS migration to Cloudflare.
3/15, 8:23 pm: Discovered that our GoDaddy login credentials were compromised and could not log in.
3/15, 8:45 pm: While attempting to regain access to our GoDaddy account, we contacted our friends at CoinGecko, CoinMarketCap and imToken to update our website link and put up warning messages.
3/15, 8:55 pm: We set up a war room on Telegram to meet and discuss how to recover our DNS while keeping users funds safe.
3/15, 9:10 pm: We announced on Twitter that our domain was hijacked and warned users not to provide seed phrase to anyone.
3/15, 10:27 pm: PancakeSwap tweeted that their website was down too, and they suspected that they encountered a similar situation like us.
3/15, 11:00 pm: We put up two alternative websites for user to continue using C.R.E.A.M. Finance.
3/16, 00:49 am: We reclaimed the ownership of domain with the help of GoDaddy, and started to recover the service and ensure the security.
3/16, 01:48 am: Website returned to normal, while some regions were still affected as DNS propagation continued.
3/16, 02:26 am: We announced on Twitter that we reclaimed domain ownership.

How It Affected Our Users

Our smart contracts remain safe along with user funds throughout this attack. The DNS hijacking only affected our website, and has nothing to do with our contracts. C.R.E.A.M. Finance user funds were SAFU throughout the event.

We would like to thank our friends that quickly responded to help us recover from this incident quickly, including Azeem and the Armor.Fi team, CoinGecko, CoinMarketCap, dudesahn, imToken, Jimmy (Binance), johnnykrammer, nymmrx, PancakeSwap, Tempo (Perpetual Protocol) and YAP Global.

Cream-finance.eth.link

We have deployed our frontend on IPFS. With a decentralized frontend in IPFS, we can ensure that our user would be able to access services deployed by us. And unlike GoDaddy, we have full control of ENS record, which will prevent attacks like this in the future.

Investigation Progress

After bringing back the service, we’ve spent some time investigating how the attacker hijacked our DNS, and this is what we know:

We use Google SSO to access our GoDaddy account. No username or password could have been used to access our GoDaddy account.
According to activity log, our Google account was never compromised.
The first unusual behavior in GoDaddy activity log is a password reset request sent to attacker’s email address, but there is no record of email address change.
We reproduced the scenario and found that if we sign in GoDaddy with Google account and change the email address, there would be a record of email address change, which is not what we experienced.
We can access only part of the activity log on GoDaddy. Unexpected error shows up when we try to access all the logs.
PancakeSwap also used GoDaddy, and they confirm that it’s the same attacker IP in both of our activity logs.

We will update this post with any additional findings as they become available.

Final Words

Please remember that we will never ask you to submit any private key or seed phrases! We appreciate your patience throughout this process, and thank you all for being part of the C.R.E.A.M community.