GoDaddy Used in a Cryptocurrency Attack
Table of Contents
- By Dawna M. Roberts
- Published: Nov 25, 2020
- Last Updated: Mar 18, 2022
GoDaddy domain registrar and hosting company is no stranger to hacks and interruption of service by cybercriminals. The latest attack suffered last week by digital service giant GoDaddy tricked their employees into giving out information for a few cryptocurrency companies.
What Happened?
Back in May 2020, more than 28,000 GoDaddy customers' web hosting accounts were hijacked from a breach that occurred back in October 2019. Unfortunately, GoDaddy did not discover the issue until April 2020. Meanwhile, criminals used the accounts to wage phishing campaigns and install viruses and malware.
The latest issue occurred around November 13 and was perpetrated by hackers targeting GoDaddy employees to take over domains and use them in a cryptocurrency mining scheme. The main target was a cryptocurrency trading platform called liquid.com. CEO Mike Kayamori of Liquid had this to say "A domain hosting provider 'GoDaddy' that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor. This gave the actor the ability to change DNS records and, in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage."
The issue was discovered when another cryptocurrency mining service called NiceHash found that some of their DNS settings had been changed on GoDaddy without authorization. The changes were redirecting email and web traffic. In response, the company froze all customer funds for 24 hours until they were able to fix the problem and assure customers that their money was safe. They posted a blog to customers and said, "At this moment in time, it looks like no emails, passwords, or any personal data were accessed, but we do suggest resetting your password and activate 2FA security."
The hacker was linked to an email address at GoDaddy, and the culprit attempted to reset passwords on various other platforms like Slack and Github using credential stuffing from the email accounts they had taken over. Founder of NiceHash Matjaz Skorjanc had this to say "We detected this almost immediately [and] started to mitigate [the] attack. Luckily, we fought them off well, and they did not gain access to any important service. Nothing was stolen."
Both cryptocurrency companies had their email redirected to privateemail.com, a service associated with Namecheap Inc., which sells domains and web hosting services as well.
KrebsOnSecurity performed some analysis on the attack and found that various other cryptocurrency platforms (Celsius.network, Wirex.app, and Bibox.com) were also targeted.
Krebs also contacted GoDaddy about the attack, who immediately minimized the issue, saying that "a small number" of accounts had been affected and changed and that only a "limited" few employees had fallen for the social engineering scam. Dan Race, a spokesperson for GoDaddy, said, "Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees."
Race further explained that "We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts," GoDaddy's statement continued. "As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks."
It is unclear how the GoDaddy employees were tricked into handing over the accounts, and GoDaddy declined to comment on that.
Social Engineering Dangers
As defined by Webroot security professionals, "Social engineering is the art of manipulating people, so they give up confidential information.” Threat actors use various techniques to trick unsuspecting victims into giving up login credentials, bank and credit card information, and personal details that may be used for identity theft.
Cybersecurity professionals see more of these types of attacks occurring, especially this year. An example of a social engineering attack might be getting an email from a trusted friend who wants help or shares something interesting. The thing is, the hackers have taken control of your friend's email account, and it didn't come from someone you know. They might also spoof your friend's email address.
The goal is to get you to download something or click a link and visit a malicious website where you log in or provide information that is then stolen. Typically, social engineering attacks work on emotion. They either urge you to do something quickly by inciting fear, excitement, or curiosity. Or they might tap into greed and lure you in by promising a big return on an investment or saying you have won a prize.
Scammers use various techniques by alerting you to a problem that immediately needs to be fixed. You click before thinking, and now you are a victim.
The best way to stay safe is to always verify the information before acting. Never click a link in an email, and if something sounds too good to be true, it is.