A group of scammers managed to trick some GoDaddy employees into redirecting web traffic and emails destined for various cryptocurrency exchange platforms. This is the largest domain registration company in the world, so this incident would have severe consequences.
According to KrebsOnSecurity experts, the attack was based on tricking company employees into transferring control of affected domains to threat actors. This is an attack similar to the one the company suffered a few months ago, when a cybercriminal group gained control of dozens of domain names using a voice phishing scam. As if that weren’t enough, this year GoDaddy acknowledged that at least 28,000 of its customers’ hosting accounts were compromised in 2019, an incident that went unnoticed until April 2020.
The most recent attack would have begun on November 13 or a close date, when abnormal behavior was detected on the Liquid cryptocurrency exchange platform. According to Mike Kayamori, CEO of Liquid, an unsuspecting GoDaddy employee transferred the against his web domain (liquid.com) to threat actors. Thanks to this, the attackers managed to change the DNS records and take control of multiple email accounts belonging to the exchange platform.
This was repeated with the NiceHash cryptocurrency mining service, which detected that some of the settings of its domain records on GoDaddy were altered without authorization, resulting in redirecting web traffic from this site. As a security measure, the platform froze all of its customers’ funds for 24 hours: “Everything indicates that users’ emails and passwords were not accessed, but we suggest that you reset your login credentials and enable multi-factor authentication,” a report on the incident mentions.
Matjaz Skorjanc, founder of NiceHash, mentions that unauthorized changes were made from a web address on GoDaddy and that threat actors tried to access NiceHash’s incoming emails to reset passwords for various third-party services, including Slack and GitHub.
NiceHash’s email service was apparently redirected to privateemail.com, an email platform managed by Namecheap Inc, another major domain name registration company. After a quick analysis, KrebsOnSecurity specialists concluded that multiple cryptocurrency platforms could have suffered similar attacks, including Bibox.com, Celsuis.network and Wirex.app, although none of these companies has responded to requests for information submitted by the experts.
Fortunately GoDaddy did respond to the reports, mentioning that “a small number of domain names will have been changed after some employees fell into a social engineering scam.” On the general service failure that occurred on November 17, GoDaddy ruled out any relationship between the two incidents.
“In addition, a routine audit of some account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” says GoDaddy’s statement, signed by company spokesman Dan Race.
“The accounts involved in this incident were immediately blocked, plus we reversed all unauthorized changes and helped affected customers regain control of their domains,” Race added. The company’s message concludes by recalling the sophistication that characterizes some groups of threat actors, so it is critical that the industry strengthens its defenses in every way, including the human factor.
GoDaddy did not add any further details about how his employees were deceived, as the investigation is still ongoing. Specialists mention that everything would have started with a phone call, allowing threat actors to access multiple employee accounts and eventually compromise domains.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.