GoDaddy employees were the target of a sophisticated (and successful) cyber attack… Again.
GoDaddy is THE biggest domain registry across the globe. In this scam, hackers were able to lure GoDaddy employees into transferring control and/or ownership of specific domains over to them, closely mimicking a ploy conducted in March, in which bad actors used voice phishing calls to trick GoDaddy support employees into giving them control over a handful of domains, which included escrow.com, a site that brokers financial transactions!
Additionally, back in May, GoDaddy announced that almost 30,000 of their customers’ accounts were compromised during a breach that lasted from October 2019 until its eventual discovery the month before the announcement… That’s six whole months that the hackers were able to siphon information off of this massive company.
This most recent scam, which began around November 13 with an attack on a cryptocurrency trading platform (liquid.com), used phishing emails and cryptocurrency traffic to trick GoDaddy employees into, once again, transfer control of the domain over to the hackers. This transfer gave the bad actors the ability to not only change DNS records but to also take control of email accounts, which then gave them access to file storage.
The scam was uncovered after the cryptocurrency mining service, NiceHash, noticed on November 18 that a number of settings for certain domain registration records at GoDaddy had been changed without admin permissions, which had redirected both email and web traffic from their site. Once this was discovered, the company acted quickly by freezing all their customers’ funds until they were able to change the domain settings back to the original settings, which took about a day.
NiceHash disclosed the breach immediately, and in a blog post, they recommended that their customers change their passwords and activate two-factor authorization, even though it didn’t appear that any of their customers’ data was compromised.
The founder of NiceHash, Matjaz Skorjanc, noticed that the unauthorized changes came from a GoDaddy address and that the hackers attempted to access company emails in order to reset the passwords of a number of third-party affiliates. They reached out to GoDaddy, but at the time they attempted to contact the domain giants, GoDaddy just happened to be under a company-wide outage, so both their phones and emails were out-of-order.
Great timing!
Instead of throwing up his hands, Skorjanc redirected their email through privateemail.com, via Namecheap Inc., which is also a domain name company, albeit not quite so large as GoDaddy. They then used Farsight Security, which is a service that tracks changes made to domain names, to identify any GoDaddy domains that had been changed over the past week. What this revealed was that NiceHash was apparently not alone; in fact, a number of other cryptocurrency platforms appear to have also been targeted.
GoDaddy was notified and they stated that there were in fact a number of domains that were potentially compromised after their employees fell victim to a malicious social engineering scam; however, the outage was just a coincidence and wasn’t breach but rather a technical issue. They also stated that a routine audit did in fact find that a “small number” of domains were possibly the victim of unauthorized changes, which their internal security team then investigated. After the investigation, they locked down the affected accounts and worked with those impacted to return control.
While GoDaddy wasn’t exactly forthcoming with the details about just how their employees were scammed, due to the incident being investigated still, it’s important to note that the attacks earlier this year left the hackers with the ability to read internal memos left on customer accounts and the attack on escrow.com redirected their traffic to a Malaysian web address that hosted a small number of domains. But one of the domains hosted was actually a GoDaddy phishing address (I am not going to put the name of the address, out of safety concerns).
So, it looks like it’s possible that the March attacks and this attack are likely from the same campaign, wherein they tricked GoDaddy employees into providing their credentials using the phishing page they hosted.
As we have been saying since March, there has been an increased number of cyber attacks since so many employees started to work from home. This includes an increased number of “vishing” scams, which use phone calls, rather than emails, to try and scam employees.
Vishing campaigns use phone calls to remote employees within an organization to get information out of them. They do this by calling and saying they are from the IT Department, and that the reason for the call is to help the employee working from home with issues that occur with the company’s email or VPN. But the ACTUAL goal is to get the employee to visit a scam site and enter login information on a scam website, or to even get them to tell the hacker that information over the phone.
One example of this is the Twitter scam that raised over $100,000 in just a couple of hours this past summer. As we reported, the hackers were able to trick Twitter employees via a successful vishing expedition, and then post their fake website on high-profile accounts, requesting money.
According to CISA and the FBI, vishing hackers actually create massive files on employees of their target businesses by scraping public social media profiles and conducting background checks.
If you are working from home, we strongly urge you to download our FREE Remote Security Checklist to help beef up your cybersecurity while you are working remotely. Additionally, with these successful vishing attacks, we urge you to be wary of phone calls. Secure your employees by:
- Using a formalized authentication process for employee-to-employee communications made over the phone in which employees use a second factor authenticate all calls before disclosing sensitive information.
- Verify websites aren’t misspelled and bookmark corporate URLs.
- Do NOT visit alternative URLs given in an inbound phone call.
- Be suspicious of ANY unsolicited phone calls, visits, or email messages from unknown contacts who say they are from the organization.
- Do not provide ANY personal or organizational information. This includes information about its structure or networks,
- Verify a caller’s identity directly with your employer.
- Document any vishing call you receive, including the number and the domain, and contact law enforcement right away.
You can also call us any time at 919-422-2607, or schedule an appointment online for free if you have any additional questions.
And remember… These bad actors have absolutely NO SHAME. Stay safe out there; even if “out there” is as far away as your home office.