Phishing attack uses PancakeSwap and Cream domains to steal money

Two decentralized finance projects are reportedly being targeted by a DNS spoofing attack. According to reports from Monday morning U.S. time, PancakeSwap and Cream Finance, two projects deployed on Binance Smart Chain, are phishing users into entering their private key on the website.

Cream Finance is inaccessible as of the time of writing, but PancakeSwap still loads correctly and showcases the phishing attempt. Upon trying to connect MetaMask, the page loads a fake window requesting the user to input their private key. This also happens on browsers like Safari, where MetaMask is unavailable. There are almost no occasions when a user should input their seed phrase into a browser app, especially not when interacting with DeFi.

The Cream Finance and the Pancake Swap teams confirmed that the issue is a DNS spoofing attack. The Domain Name Service connects a domain name to an IP address on the web. It appears that the registration for the two services was hijacked to point to an attacker-controlled server. According to ICANN records, the DNS registration was updated for both websites on Monday, shortly before the reports of malicious activity.

Both websites appear to be registered through GoDaddy. One possible explanation is that the teams’ accounts on the provider were hijacked, allowing the attacker to officially change the DNS routing point for the domains.

As of 7 PM UTC, the Cream Finance team stated that the website is fully operational and secure. PancakeSwap also seems to have regained control of its website. The changes may not be immediately visible for users who visited the corrupted domain, requiring a browser cache cleanup.

The story was updated at 7 PM UTC with new information.