Ether.fi foils domain hijack attempt, credits enhanced security measures
Upon verifying SPF, DKIM and DMARC authentication records for the email, it was established an attacker attempted to use the legitimate Gandi recovery flow to gain access to etherfi’s Gandi account
On September 24, ether.fi experienced a security incident involving their domain registrar, Gandi.net.
Summary of the incident:
The team received a recovery notification from Gandi via email at 16:38 UTC
Upon verifying SPF, DKIM and DMARC authentication records for the email, it was established an attacker attempted to use the legitimate Gandi recovery flow to gain access to etherfi’s Gandi account
Gandi was contacted on multiple platforms. At approximately 19:30 UTC it was confirmed that ether.fi’s account had been successfully locked to prevent further tampering and the nameserver config restored. There is a comprehensive analysis of external and internal systems in progress, and as of now there are no traces of an internal breach observed.
Prevention steps taken:
In weeks prior, there was an increase in exploitation of similar attack vectors observed with other protocols. We preemptively upgraded our key platforms to require hardware authentication as an authentication method
Gandi’s monitoring systems and process, while aggressive, locked down the domain account and prevented any access to our systems, and kept our websites, apps and emails safe from the attempted attack
