Attackers Dupe GoDaddy Into Abetting Cryptocurrency Site Takedowns
Roughly one year after a data breach at GoDaddy compromised 28,000 customer accounts, the world’s largest internet domain registrar is once again at the center of a security scandal. Hackers brought down several cryptocurrency services using GoDaddy domains in recent weeks, and apparently the company’s own staff unwittingly helped in these attacks.
Hackers purportedly duped GoDaddy employees into handing over the reins to several cryptocurrency services’ web domains, and then used those permissions to make unauthorized changes and bring down the sites, per a report from the cyber-centric blog Krebs On Security on Saturday. While it remains unclear how many companies fell for this scam, the cryptocurrency trading platform Liquid and mining service NiceHash uncovered attacks within days of each other.
“On the 13th of November 2020, a domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” said Liquid CEO Mike Kayamori in a blog post on Wednesday. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
NiceHash pushed out a blog post on Tuesday warning users that it discovered several unauthorized changes in the settings for its domain registration records. The company immediately froze all user funds, which remained inaccessible for roughly 24 hours, and launched an investigation into the matter, but ultimately found that “no emails, passwords, or any personal data were accessed” by hackers.
What’s also unclear is how these hackers went about scamming GoDaddy employees into transferring ownership of the domains in the first place. In a statement to Engadget, a company spokesperson confirmed that a “limited number” of employees had fallen for “social engineering” attacks that allowed hackers to tamper with accounts and domains without authorization, but didn’t go into further detail.
Social engineering refers to attacks in which hackers use their social skills to harvest information from an organization or its networks, according to the Cybersecurity and Infrastructure Security Agency. Phishing, an attack in which hackers use emails or malicious websites from seemingly credible organizations to steal information, falls under that category.
The spokesperson said that GoDaddy responded by locking accounts, undoing any changes that the hackers made, and working with victims to help them regain access.
It’d be really embarrassing if GoDaddy employees fell victim to the same kind of voice phishing tactics caused another data breach in March. That campaign compromised several domains, including the transaction brokering site Escrow.com, and GoDaddy later admitted that one of its employees had fallen victim to “a spear-phishing or social engineering attack.”
As Krebs notes, hackers have increasingly relied on voice phishing, or “vishing,” to attack corporations in recent months. That’s when attackers use one-on-one phone calls, often pretending to be tech support for a target’s employer, to try to steer targets toward phishing sites to harvest account credentials and other sensitive company information.
Although we don’t know exactly how the hackers pulled one over on GoDaddy’s staff, this incident is a reminder that humans aren’t perfect. Then again, these kinds of attacks aren’t exactly new, so instead of just gaping at human error, perhaps corporations should focus on strengthening both human and machine security protocols to try to prevent incidents like this from happening in the future.