GoDaddy Employees exploited in attacks targeting Cryptocurrency Services

Late last week KrebsOnSecurity reported that GoDaddy, the world’s largest domain register, had been involved in a cyber-attack using social engineering tactics to first trick GoDaddy employees the target several cryptocurrency trading platforms. This incident, involving GoDaddy staff comes a few months after a similar incident where attackers assumed control of several domain names. While in May 2020, the company disclosed that 28,000 web hosting accounts had been compromised.

Returning to the latest attack, it appears that on November 13, 2020, the cryptocurrency trading platform Liquid was locked out of its domain. In a statement by Mike Kayamori, CEO of Liquid, stated,

“On the 13th of November 2020, a domain hosting provider "GoDaddy" that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor. This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

In response to the attack, company employees moved to contain the attack and prevent further intrusion by the attacker. Fortunately, client funds were untouched, and the cryptocurrency wallets used by the company remain secure and were not compromised. However, according to the public statement, some user information was compromised with Kayamori noting,

“We believe the malicious actor was able to obtain personal information from our user database. This may include data such as your email, name, address and encrypted password...We are continuing to investigate whether the malicious actor also obtained access to personal documents provided for KYC such as ID, selfie and proof of address, and will provide an update once the investigation has concluded.”

Following the incident involving Liquid on November 18, 2020, another cryptocurrency service reported an incident. This time the cryptocurrency mining service NiceHash discovered that several of its domain registry settings at GoDaddy were changed without permission.

GoDaddy Employees exploited in attacks targeting Cryptocurrency Services

The change in settings resulted in email and web traffic being redirected for a brief period. In response, the company halted all activity for 24 hours until they knew the situation had been resolved and domain settings had been changed to what they should have been. Responding to an incident the company stated in a blog post,

“At this moment in time, it looks like no emails, passwords, or any personal data were accessed, but we do suggest resetting your password and activate 2FA security,”

Explaining what happened, company founder Matjaz Skorjanc said the unauthorized changes were made from an Internet address at GoDaddy, and that the attackers tried to use their access to its incoming NiceHash emails to perform password resets on various third-party services, including Slack and Github. This was while GoDaddy was suffering a widespread system outage which seemingly impacted both phone and email systems. Responding to the outage GoDaddy responded by saying,

“GoDaddy experienced a service outage between approximately 7:00pm-11:00pm PST last night. The outage was related to an error encountered during planned network maintenance and impacted multiple products and services. It was not a security incident. The issue was resolved by our team and affected customers immediately began seeing improved services. We apologize for any inconvenience caused by this disruption.”

Domain Changes

The statement by GoDaddy makes no mention of it being a security incident that resulted in the system outage. In a statement to KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. Based on this information the two events do appear to be unrelated, however, serious questions need to be asked as to how the domain settings were changed without permission that affected several cryptocurrency services, with Liquid and NiceHash at the time of writing publishing details on the incident. As the statement to KrebsOnSecurity declined to mention how employees were tricked some theories have been suggested.

It is believed in some circles that employees of GoDaddy may have been tricked by vishing tactics or voice phishing. Vishing can be seen as an attempt by a scammer to trick the receiver of a call to hand over personal information or financial information. The March incident which impacted escrow.com among several others was believed to be conducted in a similar way. In this instance, it is believed that the scammers managed to get employees to enter in login credentials onto a fake login under the attacker’s control. In the March incident, a page was registered with a Malaysian domain registrar that only had a few domains registered including the phishing website servicenow-godaddy.com.

A trend has emerged driven by the COVID-19 pandemic of increased vishing. It is believed that scammers are looking to take advantage of employees working at home to steal their credentials. This seems to be done via a combination of voice calls and fake websites designed to phish credentials the remote workers use to login to company services. In one instance scammers used this technique to steal VPN credentials from an organization. In the above incident, the credentials harvested appear to have granted the attackers access to some information but luckily not funds or critical infrastructure in regards to the trading platform. These attacks are proving to be incredibly effective due to several reasons, including the rapid expansion of the attack service due to increased reliance on remote workers.

The attack begins with the scammer making several calls pretending to be from the company’s IT department for example. The scammer will pretend the reason for the call is related to an error that needs to be fixed, like access to the company’s VPN as an example. The goal is to either get the employee to divulge their credentials over the phone or via a fake login page set up by the attackers. The use of a fake login page can be incredibly hard to spot as they are well crafted to be as authentic-looking as possible. Further, the inclusion of a web site or login page adds another layer of legitimacy as often individuals are advised to never give important information to someone over the phone. Further, the scammers included sections on the login page to capture two-factor authentication or one-time pin information.

Bad Year for GoDaddy Security

Three major incidents in one year will definitely lead to the media and public asking some tough questions about GoDaddy. However, rather than pointing the finger solely at the company, they do share a fair amount of the responsibility that is for sure, but it might be wiser to educate users and employees as to the threat they face by vishing scammers. In a joint alert issued by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), the threat posed has been greatly illuminated upon as well as the measures that can be adopted to not fall victim to such a scam. These mitigation strategies include:

  • Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
  • Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
  • Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
  • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
  • Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
  • Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
  • Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

It is hoped that GoDaddy does improve its employee education and general security policy to prevent further vishing attacks from negatively impacting their customers. It is becoming ever more apparent that cybersecurity is a shared responsibility and education may be the best defense against falling victim to scammers and hackers.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal