Phishing attacks on Pancake Swap and Cream Finance
Just came across the phishing attack that happened on Pancake Swap and Cream Finance on March 15th 2021. A brief anatomy on the attack is necessary so that everybody using the DeFi platforms are aware of the type of exploits that can happen.
What is a phishing attack?
As noted in [3], it is a type of social engineering attack that, wherein, user data like password, credit card numbers etc., are stolen by making the end-user believe and trust the application they are using to be authentic. The attacker will create a malicious facade on top of an existing application that user is trying to access. Phishing attacks are not new, they have been in existence for a long time. A simple example would be, clicking an unknown link in an email from a make-believe known recipient.
There can different types of phishing attacks. Some of the common types listed below:
- Email phishing — Attacker sends out random emails that can give a lead on personal information.
- Spear Phishing — Instead of attacking a random individual, this is done to an individual whose information is available to the hacker already.
- Whaling — Targeted towards senior executives. General email phishing with fake links and malicious urls doesn’t work in these cases. They target with specific purpose. Example: Bogus tax returns.
- Smishing and Vishing — Using phone/mobile call instead of emails. Smishing is done by texting the recipient and vishing is done by explicitly placing a call. Example: Call a victim as a fraud investigator.
- Angler phishing — Based on the latest social media platforms. This done by creating fake URLs, cloned websites and instant messaging etc., Can be used to lure victim into downloading malware.
How was this done on Pancake Swap and Cream Finance?
Pancake Swap and Cream Finance both are DeFi platforms that users can login into by using Metamask. Metamask is a browser extension that can be used to connect with individual wallets. On Monday, May 15th when users tried to login to their accounts using Metamask on these two applications, there was a new window pop-up. This window as shown in the screen below asks the user to type in their seed phrase.
The attacker is using DNS (Domain Naming Service) Hijack to execute this phishing technique. This is done by an attacker taking control of a DNS name. So DNS name resolves to the server that a web request is to be served from. The attacker points the DNS name to the server that they can control. This way when any user tries to reach either of the two platforms, they are getting served from different server than the one they registered with. In this case, the hijacker will take the seed phrase that is being input by the user unknowingly and can deplete the accounts. Below is a twitter message from Cream Finance asking the users not to enter passphrase in the pop-up.
Note: Both the platforms are back to normal and they have fixed the issue with DNS.
How to avoid phishing attacks?
- Always as a general rule keep checking the sender email address. Unless it is a familiar or known email do not follow up or click on any of the content in the email.
- On your work email address, if tagged as an external email (which most of the email clients do) from an unknown account, do not click any URLs or respond to the email.
- For the special case of this hack, never submit a seed phrase to connect your account unless you know the authenticity of the source.
- Do not enter information into random pop-ups at any point of time.
- Use Ad-blocker on your browser to disable pop-ups.
- Use hardware wallet to connect to your account.
References
- https://cointelegraph.com/news/phishing-attack-uses-pancakeswap-and-cream-domains-to-steal-money
- https://www.theblockcrypto.com/linked/98353/defi-pancakeswap-cream-dns-hijackings
- https://www.imperva.com/learn/application-security/phishing-attack-scam/
- https://www.itgovernance.eu/blog/en/the-5-most-common-types-of-phishing-attack