Want to learn more about web3 threats and strategies to secure your business? Subscribe now for the latest web3 security news, security tips, and how-to articles for security automation.
Summary:
Just like in web2 we continue to see varying degrees of threats and threat actors in the dynamic world of web3. In October 2023, Galxe.com, a prominent rewards provider in the Web3 space, faced a security breach that affected around 1,120 users and resulted in approximately $270,000 USD being stolen. This incident served as a stark reminder of the difficulties of all of your web3 business’ attack surface.
What happened?
On October 6th, 2023, Galxe.com encountered a security breach affecting their main web application in a “smash and grab” type of DNS Hijacking attack. According to the Galxe.com post-mortem a threat actor was able to impersonate an authorized member of Galxe and contacted Dynadot support, the domain service provider. Using falsified documentation, the attacker managed to bypass Dynadot's security process, gaining unauthorized access to Galxe.com's domain name service (DNS) account and record. They then modified the DNS record to redirect victims to a phishing site which prompts the user to approve a malicious transaction to drain their wallet.The breach unfolded in a series of events that required swift and strategic responses from the Galxe team:
Social Engineering Attack (2023/10/06 04:00 PDT): The attacker executed a social engineering attack against Dynadot, Galxe.com's DNS registrar. Using forged documentation of the account owner, they successfully bypassed Dynadot's security process, gaining access to Galxe.com's Dynadot account.
DNS Modification (2023/10/06 06:02 PDT): The attacker modified the NS records of Galxe.com, redirecting website visitors to a deceitful phishing site. This malicious DNS change gradually rerouted users to the fraudulent site, where a pop-up prompted users to approve a transaction, effectively draining their wallets.
Identification and Investigation (2023/10/06 07:20 PDT): Galxe.com's security team identified the issue and initiated a comprehensive investigation into the breach.
Communication and Community Notifications (2023/10/06 07:38 PDT): Upon fully discerning the scope and nature of the attack, Galxe.com began communicating with Dynadot to reclaim their account. Simultaneously, they informed their community and partners about the breach through various channels, including Discord and X, ensuring users received real-time updates.
Backend Security Measures (2023/10/06 07:45 PDT): To prevent any possible unauthorized access, Galxe.com's engineering team took down the API gateway to the backend. All access tokens were revoked to enhance security.
Further Updates and Communications (2023/10/06 08:00 PDT): Galxe.com continued providing updates and communications across all channels to keep users informed and reassured.
DNS Record Clearance (2023/10/06 09:00 PDT): Dynadot cleared the DNS record for Galxe.com, further mitigating the impact.
Recovery (2023/10/06 09:23 PDT): Galxe.com successfully recovered the account and restored the Name Service records of Galxe.com. However, due to DNS propagation delays, some users could still be routed to the deceptive site. As a precaution, Galxe.com decided to keep the platform offline temporarily, advising users to remain vigilant.
Lessons Learned
This type of vulnerability is an example of an unsophisticated “smash and grab” type of attack having some level of success. This incident mirrors tradecraft observed in the September balancer.fi incident. We expect the frequency of these types of incidents to increase as more classic attacks from web2 like DNS takeover have success. Here are some account security and DNS security strategies anyone can use to secure their business:
Enable 2FA with hardware second factor: 2-factor authentication is one of the most effective security controls against phishing attacks. Any 2-factor authentication solution should not use SMS and preferably use a 2-factor such as a Yubikey or at the very minimum an authenticator application for critical functions.
Consider enabling DNSSEC: DNSSEC protects against attacks by digitally signing data to help ensure its validity. In order to ensure a secure lookup, the signing must happen at every level in the DNS lookup process.These digital signatures ensure that data has not been tampered with.DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a ‘google.com’ lookup, a root DNS server would sign a key for the .COM nameserver, and the .COM nameserver would then sign a key for google.com’s authoritative nameserver. Not all providers offer DNSSEC, however this type of implementation is effective against preventing tampering attacks
Monitor for unauthorized activity: With the prevalence of attacks on web2 infrastructure rising it's important to not forget about corporate security. Anti-virus, threat hunting, annual training, security awareness training, and other security practices are important to keep your organization diligent to these types of threats. Its also critical to have logging and monitoring processes in place to quickly identify and take action on an anomaly to mitigate potential incidents.
Conclusion:
The Galxe.com security breach underscored the critical importance of proactive security measures in the Web3 space. While the incident had an impact, the swift response, communication, and security measures implemented by Galxe.com demonstrated a commitment to user protection and recovery. As the Web3 ecosystem continues to evolve, incidents like these serve as valuable lessons for both platforms and users. Vigilance, continuous improvement of security protocols, and user education are key components in strengthening the security fabric of the digital realm.
If you're looking for help securing your web3 product or business reach out to our team for a free consultation.
Comments