In what was already a tough year for the world’s biggest domain registrar, GoDaddy has suffered another blow to its reputation for security after losing control of the addresses of several well-known cryptocurrency services.
The attackers were apparently able to social engineer GoDaddy employees into transferring ownership of at least half a dozen URLs, allowing them to redirect web and email traffic for a time. Among the compromised domains were major cryptocurrency trading platform Liquid.com.
World’s biggest domain registrar hacked again
KrebsonSecurity is reporting that the current campaign against the domain registrar began on Nov 13 with the attack on Liquid.com. According to Liquid CEO Mike Kayamori, “A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor. This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
The hacker appears to have repeated this trick with at least five other cryptocurrency services including crypto mining service NiceHash, which reported discovering its DNS settings changed on the morning of November 18 and had to freeze all customer accounts for 24 hours while taking care of the issue. The company sent an email to customers reassuring them that emails and personal data had not been accessed, but did suggest that they change passwords and implement 2FA.
In partnership with Farsight Security, Krebs investigated the issue after being contacted by NiceHash and found that the attackers were redirecting traffic to a Namecheap-registered domain called “privateemail.com.” Mapping of all GoDaddy domains that had changes made to email settings in the previous week revealed at least four other cryptocurrency services that had started redirecting to this domain.
In response to the Krebs investigation, the domain registrar publicly acknowledged that some of its employees had been taken in by a social engineering scam. GoDaddy says that it immediately locked down the affected accounts, reverted the changes and assisted customers with restoring access.
The attack would have given the hackers access to usernames, email addresses, contact information, and potentially to encrypted passwords as well. Liquid and NiceHash believe that customer information was not compromised; the other cryptocurrency services involved have yet to issue any statement or respond to reporters.
A pattern of attacks on GoDaddy and cryptocurrency services
Interest in attacks on cryptocurrency services has increased during the COVID-19 pandemic, and has received a recent boost with Bitcoin once again surging and breaking price records.
GoDaddy has had its own struggles over the previous year as well, but all domain registrars should be expecting an increase in attempts of this nature as crypto coins surge in value.
The domain registrar had a similar incident earlier this year that involved the spearphishing of a customer service rep, who granted the attacker the ability to view and modify customer records. The attacker used this ability to change the domain settings for about half a dozen sites, the biggest name among them being Escrow.com. This is believed to be a different threat group, which redirected site visitors to a crude cryptocurrency scam.
The two breaches of the domain registrar exemplify the new trend of “vishing,” which combines elements of targeted spearphishing with standard social engineering attacks directed against lower-level members of an organization that may have privileged access to the internal network. Ed Bishop, CTO at Tessian, expanded on what vishing entails: “This is the latest incident in which hackers used social engineering techniques to manipulate GoDaddy employees into transferring ownership of specific domains. The employees appear to have been targeted via vishing — voice spear-phishing — in which they received a phone call from the scammers pretending to be a trusted person; in this case, likely the rightful owner of the domain. It’s one thing for hackers to impersonate a legitimate domain, another to take control of a legitimate domain. Their first move — and what we saw happen with one of the domains implicated in the GoDaddy attack — is likely to redirect the domain’s email service to another email platform in order to take control of all communications, and use this to try and reset passwords on third-party services that hold valuable information. Domain names are some of the most highly-prized assets for brands today, namely because if a hacker successfully takes over an account and sends emails from the real domain, it’s incredibly difficult for people and email authentication mechanisms to detect an attack has occured. This makes employees of GoDaddy and other domain name registrars ripe targets for social engineering attacks.”
Vishing is among the more sophisticated attack types as it requires not only detailed research and information-gathering, but also a scammer who can speak on the phone in the target’s native language and convincingly impersonate a staff member. Vishers compile dossiers on target employees primarily by scraping social media accounts (at business-focused sites such as LinkedIn) and by using tools available to recruiters.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) consider vishing to be a great enough threat to have issued a joint alert about it in August. The alert suggests a number of countermeasures including limiting VPN connections to managed devices only, restricting VPN access hours, implementing a formalized authentication process for employee-to-employee communications that involve systems changes, and simply keeping the correct corporate VPN address bookmarked and not using any other links or URLs to access it when asked to. The agencies also suggest that employees limit the amount of personal information that they share through sites such as LinkedIn only to items that are critical for communication with the general public.
Mike Riemer, Chief Security Architect at Pulse Secure, feels the vishing threat is now severe enough to merit a “zero trust” approach: “The GoDaddy hack emphasizes the need for a comprehensive remote secure access approach founded on the concept of Zero Trust … If GoDaddy’s employees had received regular training on social engineering techniques and other phishing intrusions, they would have been less likely to hand over this information … Using security awareness programs in coordination with enhanced access security techniques helps businesses succeed in significantly reducing their overall threat landscape. To prevent similar attacks in the future, it is imperative that organizations remove any implicit trust and establish context-based access permissions … The Zero Trust principle dictates that no connectivity is allowed until a user is authenticated, their endpoint is validated, and application access is verified for that individual, stopping cybercriminals from gaining access.”