Blockchain.info, one of the most popular online Bitcoin wallet services in the world, was forced to take its service offline this week (12 October) after suffering a DNS hijack that left its 8 million-strong userbase vulnerable to cyberattack.
The digital currency service claims to power up to 100,000 Bitcoin transactions in a single day, so it was of little surprise that reports of the DNS attack quickly spread to messageboard websites such as Reddit and social media platforms.
Upon analysis, Blockchain.info administrators found the website's Domain Name Resolution (DNS) information had been altered to re-direct anyone visiting the website to a potentially-malicious website URL, a cheap hosting provider located in the US.
After finding the security flaw, the team was forced to take down the site. Notifying concerned users on Reddit, the team wrote: "Our DNS provider was targeted. It's going to be several hours before our services are fully restored. The CloudFlare DNS is propagating now."
During the attack, users were left particularly at risk of bitcoin theft or malware infections. DNS attacks can typically consist of an attacker redirecting unsuspecting users to a malicious web page to steal personal details or financial information.
Luckily for users, the correct domain was re-established less than 24 hours after discovery of the incident. In a statement, the team said: "Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue."
It continued: "To be abundantly cautious, we're waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience."
In a blog post, Artsiom Holub, a security researcher at OpenDNS, wrote that hijacking attacks of this nature are an increasingly popular and "effective" technique now used by cybercriminals.
'Treat your bitcoin wallet as your real one'
"Bitcoins and blockchain technology might replace traditional banking, but first it is the community who have to solve a lot of security problems," he said. "Bitcoin wallets and companies are being targeted by criminals more and more as they face easier schemes to launder stolen funds.
"Traditional banks have controls to detect and prevent laundering schemes but in the crypto currency world we face bitcoin mixers that make the tracking of stolen funds a complicated challenge.
"In this case no damage or hack was done to the servers of the targeted companies, but attackers were able to change DNS records to redirect users to a totally different set of machines. Controlling a domain name allows attackers to potentially gather credentials of the wallets. So treat your bitcoin wallet as your real one, and be aware of the ongoing malicious campaigns."
At the time of writing, the Blockchain.info website has regained functionality. "All services have been restored and are running normally," the team wrote on Twitter. "We apologise for the long wait, and we'll continue to monitor things closely."
Blockchain.info has released a full statement:
At approximately 5:42 AM EST, the attacker changed Blockchain.info's DNS servers. Within minutes, our internal systems alerted our infrastructure team who immediately began to assess the attack.
Control over our DNS servers is highly restricted and goes beyond industry standard protections against configuration changes. We were able to access our administrative accounts with our registrar and regain control. Unfortunately, it became clear the attackers gained access to our accounts through breaching the systems of our DNS registrar.
In an abundance of caution, we shut down our entire platform until we investigated the full extent of the attack. After making offline high-level contact with our registrar, we quickly determined that our registrar's systems were breached by a highly sophisticated attack against the registrar's infrastructure and not Blockchain's infrastructure. Our registrar was able to manually regain control and revert the DNS changes.
While we waited for the fix to propagate across the internet, we investigated the malicious site to which the attacker had redirected traffic. We determined that due to the attacker using a self-signed SSL certificate, users using modern browsers – which the wallet requires – were prevented from being exposed to the phishing site. Due to the quick response of our team, the attacker's DNS changes were allowed only to propagate partially across the Internet. We were also able to locate the owners of the compromised machine being used by the attackers and have it shut down.
After a full check of our own systems and a complete propagation of the correct DNS servers, we brought our platform back online at 1:20 PM EST. To mitigate the attack vector at our registrar, we have implemented additional manual, offline controls.
Ultimately, any disruption in service is something we take seriously and we extend our sincere apologies. While we sometimes remain offline for longer than necessary, we do so out of an abundance of caution while we check to ensure all systems are fully protected and functional.
Thank you for your patience.
CEO & Co-Founder, Blockchain