Phishing attack uses PancakeSwap and Cream domains to steal money

Two decentralized finance projects are reportedly being targeted by a DNS spoofing attack. According to reports from Monday morning U.S. time, PancakeSwap and Cream Finance, two projects deployed on Binance Smart Chain, are phishing users into entering their private key on the website.

Cream Finance is inaccessible as of the time of writing, but PancakeSwap still loads correctly and showcases the phishing attempt. Upon trying to connect MetaMask, the page loads a fake window requesting the user to input their private key. This also happens on browsers like Safari, where MetaMask is unavailable. There are almost no occasions when a user should input their seed phrase into a browser app, especially not when interacting with DeFi.

Screenshot from Pancake Swap, taken around 3 PM UTC.

The Cream Finance and the Pancake Swap teams confirmed that the issue is a DNS spoofing attack. The Domain Name Service connects a domain name to an IP address on the web. It appears that the registration for the two services was hijacked to point to an attacker-controlled server. According to ICANN records, the DNS registration was updated for both websites on Monday, shortly before the reports of malicious activity.

The DNS entry was updated on Monday. Source: ICANN

Both websites appear to be registered through GoDaddy. One possible explanation is that the teams’ accounts on the provider were hijacked, allowing the attacker to officially change the DNS routing point for the domains.

Cointelegraph requested comment from Cream Finance but did not immediately receive a response. The story is developing.