Bitcoin Wallet Service Coerced to Take Service Offline
A Bitcoin paper wallet with QR codes and a coin, Paris, May 27, 2015. Reuters
Blockchain.info, one of the most popular online Bitcoin wallet services in the world, was compelled to take its service offline last week after suffering a DNS hijack that left its 8 million-strong userbase vulnerable to cyberattack.
The digital currency service claims to power up to 100,000 Bitcoin transactions in a single day, so it was of little surprise that reports of the DNS attack quickly spread to messageboard websites such as Reddit and social media platforms.
Upon analysis, Blockchain.info administrators found the website’s Domain Name Resolution (DNS) information had been altered to re-direct anyone visiting the website to a potentially-malicious website URL, a cheap hosting provider located in the US.
After finding the security flaw, the team was compelled to take down the site. Notifying worried users on Reddit, the team wrote: "Our DNS provider was targeted. It’s going to be several hours before our services are fully restored. The CloudFlare DNS is propagating now."
During the attack, users were left particularly at risk of bitcoin theft or malware infections. DNS attacks can typically consist of an attacker redirecting unsuspicious users to a malicious web page to steal private details or financial information.
Fortunately for users, the correct domain was re-established less than 24 hours after discovery of the incident. In a statement, the team said: "Earlier today, we discovered our DNS registrar had been compromised. We took instant act to resolve the issue."
It continued: "To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience."
In a blog post, Artsiom Holub, a security researcher at OpenDNS, wrote that hijacking attacks of this nature are an increasingly popular and "effective" mechanism now used by cybercriminals.
‘Treat your bitcoin wallet as your real one’
"Bitcoins and blockchain technology might substitute traditional banking, but very first it is the community who have to solve a lot of security problems," he said. "Bitcoin wallets and companies are being targeted by criminals more and more as they face lighter schemes to launder stolen funds.
"Traditional banks have controls to detect and prevent laundering schemes but in the crypto currency world we face bitcoin mixers that make the tracking of stolen funds a complicated challenge.
"In this case no harm or hack was done to the servers of the targeted companies, but attackers were able to switch DNS records to redirect users to a totally different set of machines. Controlling a domain name permits attackers to potentially gather credentials of the wallets. So treat your bitcoin wallet as your real one, and be aware of the ongoing malicious campaigns."
At the time of writing, the Blockchain.info website has regained functionality. "All services have been restored and are running normally," the team wrote on Twitter. "We apologize for the long wait, and we’ll proceed to monitor things closely."
At approximately Five:42 AM EST, the attacker switched Blockchain.info’s DNS servers. Within minutes, our internal systems alerted our infrastructure team who instantly began to assess the attack.
Control over our DNS servers is very restricted and goes beyond industry standard protections against configuration switches. We were able to access our administrative accounts with our registrar and regain control. Unluckily, it became clear the attackers gained access to our accounts through breaching the systems of our DNS registrar.
In an abundance of caution, we shut down our entire platform until we investigated the total extent of the attack. After making offline high-level contact with our registrar, we quickly determined that our registrar’s systems were breached by a very sophisticated attack against the registrar’s infrastructure and not Blockchain’s infrastructure. Our registrar was able to by hand regain control and revert the DNS switches.
While we waited for the fix to propagate across the internet, we investigated the malicious site to which the attacker had redirected traffic. We determined that due to the attacker using a self-signed SSL certificate, users using modern browsers—which the wallet requires—were prevented from being exposed to the phishing site. Due to the quick response of our team, the attacker’s DNS switches were permitted only to propagate partially across the Internet. We were also able to locate the owners of the compromised machine being used by the attackers and have it shut down.
After a total check of our own systems and a finish propagation of the correct DNS servers, we brought our platform back online at 1:20 PM EST. To mitigate the attack vector at our registrar, we have implemented extra manual, offline controls.
Ultimately, any disruption in service is something we take earnestly and we extend our veritable apologies. While we sometimes remain offline for longer than necessary, we do so out of an abundance of caution while we check to ensure all systems are fully protected and functional.