21
Nov 20

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the world’s largest domain name registrar, KrebsOnSecurity has learned.

The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com.

And in May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. 2019 that wasn’t discovered until April 2020.

This latest campaign appears to have begun on or around Nov. 13, with an attack on cryptocurrency trading platform liquid.com.

“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Mike Kayamori said in a blog post. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

In the early morning hours of Nov. 18 Central European Time (CET), cyptocurrency mining service NiceHash disccovered that some of the settings for its domain registration records at GoDaddy were changed without authorization, briefly redirecting email and web traffic for the site. NiceHash froze all customer funds for roughly 24 hours until it was able to verify that its domain settings had been changed back to their original settings.

“At this moment in time, it looks like no emails, passwords, or any personal data were accessed, but we do suggest resetting your password and activate 2FA security,” the company wrote in a blog post.

NiceHash founder Matjaz Skorjanc said the unauthorized changes were made from an Internet address at GoDaddy, and that the attackers tried to use their access to its incoming NiceHash emails to perform password resets on various third-party services, including Slack and Github. But he said GoDaddy was impossible to reach at the time because it was undergoing a widespread system outage in which phone and email systems were unresponsive.

“We detected this almost immediately [and] started to mitigate [the] attack,” Skorjanc said in an email to this author. “Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen.”

Skorjanc said NiceHash’s email service was redirected to privateemail.com, an email platform run by Namecheap Inc., another large domain name registrar. Using Farsight Security, a service which maps changes to domain name records over time, KrebsOnSecurity instructed the service to show all domains registered at GoDaddy that had alterations to their email records in the past week which pointed them to privateemail.com. Those results were then indexed against the top one million most popular websites according to Alexa.com.

The result shows that several other cryptocurrency platforms also may have been targeted by the same group, including Bibox.com, Celsius.network, and Wirex.app. None of these companies responded to requests for comment.

In response to questions from KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. GoDaddy said the outage between 7:00 p.m. and 11:00 p.m. PST on Nov. 17 was not related to a security incident, but rather a technical issue that materialized during planned network maintenance.

“Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” GoDaddy spokesperson Dan Race said. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.

“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts,” GoDaddy’s statement continued. “As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.”

Race declined to specify how its employees were tricked into making the unauthorized changes, saying the matter was still under investigation. But in the attacks earlier this year that affected escrow.com and several other GoDaddy customer domains, the assailants targeted employees over the phone, and were able to read internal notes that GoDaddy employees had left on customer accounts.

What’s more, the attack on escrow.com redirected the site to an Internet address in Malaysia that hosted fewer than a dozen other domains, including the phishing website servicenow-godaddy.com. This suggests the attackers behind the March incident — and possibly this latest one — succeeded by calling GoDaddy employees and convincing them to use their employee credentials at a fraudulent GoDaddy login page.

In August 2020, KrebsOnSecurity warned about a marked increase in large corporations being targeted in sophisticated voice phishing or “vishing” scams. Experts say the success of these scams has been aided greatly by many employees working remotely thanks to the ongoing Coronavirus pandemic.

A typical vishing scam begins with a series of phone calls to employees working remotely at a targeted organization. The phishers often will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s email or virtual private networking (VPN) technology.

The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.

On July 15, a number of high-profile Twitter accounts were used to tweet out a bitcoin scam that earned more than $100,000 in a few hours. According to Twitter, that attack succeeded because the perpetrators were able to social engineer several Twitter employees over the phone into giving away access to internal Twitter tools.

An alert issued jointly by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) says the perpetrators of these vishing attacks compile dossiers on employees at their targeted companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.

The FBI/CISA advisory includes a number of suggestions that companies can implement to help mitigate the threat from vishing attacks, including:

• Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

• Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.

• Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.

• Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.

• Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.

• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.

• Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

• Verify web links do not have misspellings or contain the wrong domain.

• Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

• Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.

• If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.

• Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.

• Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

Tags: , , , , , , , , , , ,

39 comments

  1. Good advice! Probably won’t get as many comments on this piece of reporting. Thanks for all you do.

  2. Quick correction: it’s celSius, with an S. not celCius with a C.

    Less complex attacks can be just as damaging as ones like this.
    Domain squatting is one.

  3. The Sunshine State

    The company godaddy.com, is a hosting website that harbors spammers.

  4. Celsius tried to play their outage off as a mistake by Go Daddy during a planned migration for an app update. If they were actually being attacked that is pretty disingenuous of them.

  5. “As threat actors become increasingly sophisticated …”, except that the concept of social engineering (imposter) has been around for a couple centuries, at least.

    I’m guessing these employees were young and/or undertrained for this type of thing. I’m an old guy and would be lying if I said I hadn’t nearly done dumb things like this, but it helps when your company drills these things into your head constantly to remind you how little effort it can take to fall for this stuff. It’s to the point where I get a twinge of suspicion when I receive any email with an attachment. I didn’t realize it until I just typed that but now I feel like Pavlov’s dog. Ha ha.

    • To take your point even further, social engineering has probably been around as long as people have. But they _are_ getting more sophisticated. My company has seen attempts attempted attacks that involve multiple actors working concurrently, each engaging the target independently and in different ways but at the same time, and coordinated in a way that would make Danny Ocean proud.

    • Companies are very inconsistent in their messaging. For example our company will send out fake phishing emails to test people. They tell people not to click on links BUT then constantly send out emails with surveys (janitorial, maintenance, cafe in the day, etc.) that tell you to click on the link. And many of them do not go to an internal domain.

      And IT here is usually over worked and paid lower than the engineers doing other work. It is worse in many other companies.

  6. I was concerned about exact same thing – that social engineering a domain name is so easy to do. My solution was to move my domain name to google domains. They are notoriously bad at providing customer service (which is GOOD in this case) and allow all types of secure 2FA.

    But the downside is that if you don’t keep track of your unique passwords, you may lock yourself out of your domain.

    Also make sure that you secure your email account that is tied to it. Preferably with the same company and using similar security measures. In my case it goes to a gmail account that does not have my name or the name of the website.

    And DO NOT associate a cell phone with it! If you are in US and the service requires a phone number, create Google Voice account and give them that. Again make sure to secure it with a random password and a good OTOP 2FA.

  7. Pavlov actually never trained anything to react in response to a sound. Jobs did that the first time he said “Apple is introducing a new iPhone in X months.” And it still works. See iPhone 12. Sad. Sad. Sad.

  8. Hey, Bryan,
    If the website for Farsight Security is farsightsecurity . com, why is the link in your article pointing to https : // www . scout. dnsdb . info/ ?

  9. Not to blame the victims here, but one has to question the priorities of a Bitcoin exchange – effectively a financial services institution – that chooses a provider like GoDaddy for a portion of their infrastructure with high security value (registrar). GoDaddy isn’t as infamously clumsy as a provider like Cómodo, but they aren’t exactly known for their rigor. If you did a whois lookup on Fidelity.com and saw them using GoDaddy as a registrar, you’d probably do a double take.

    FYI, this site is effectively unreadable on iPhone Safari due to forced zoom, which can be very easily fixed by removing the meta viewport HTML tag in your template.

  10. When working remote:

    -if someone from “IT” calls with an usual request, call them back at the number listed on the company phone list.

    -If “IT” wants you to follow a link, have them send the link via the company chat system.

    Even IT people need training. I’ve had some crazy requests from people in IT, including asking me for my password so they could impersonate me and make a small change. The answer to that was a strong “no”.

    • We provide IT services to local government customers. One of the towns we work with gave the title of “IT Director” to a numbskull employee whose first official act was to send an email to ALL asking that they send him their login passwords.

      Most of them complied, including several who did a REPLY ALL which sent their passwords to every employee in the town.

      You can’t fix stupid.

      • Wait for it……: “You have a virus in your computer”!

        Ok, so what do I do?

        Send me all the login and passwords for your employees

        Done…

  11. I wouldn’t characterize using a phone to dupe lazy, ignorant employees in companies that have no strict policies and procedures as “increasingly sophisticated and aggressive” attacks.

    Candy meet baby.

    • Sam – I think that the real problem is when the policies and procedures are in place but not enforced, especially if the people taking calls are both providing technical support _and_ required to meet sales quotas. It gives them too much temptation to cross the line so they can get the sale.

  12. Too big for their own good!

    Too busy buying indvidual domain names to profit. They’re spending $100,000,000 on indvidual domain names, hoping to sell for much more.

    They run their aftermarket domain platforms, which charge users $1000s for domains that expire..

    Their domain ‘auctions’ and everything.

    They LOST track of what they’re suppose to do. Domain REGISTAR. Protect the registrants.

    Such hardened service is lost, there is TOO much $$$ in every other realated avenue.

    In the end, grab, grab, grab: domainers, registar, registry = screw you little guy! Your domains aren’t important, we are selling our own for MILLIONS!

  13. So its quite important to have a domain registrar who can be reached at all points of time.

  14. GoDaddy customers can get DNS change monitoring for free by logging in then using the tool:
    https://dcc40.godaddy.com/dcc40/Default.aspx?activeview=monitoring

  15. The rabbyt hole goes deeper.
    There might be Russian government involved in crypto.

    Source: https://bitcointalk.org/index.php?topic=5292204.new#new

  16. Had to drop goDaddy years ago for a few reasons.

    Domain privacy is included for free at other registrars. GD charges $20 a year.

    Technical support would help, but it was one long sales pitch.

    As this article points out, they have poor security practices that are well-published.

  17. From my previous experience its not that easy to get back a lost it stolen bitcoin because these scammers are very smart and they will cover their tracks but if you manage to find a trustworthy and reliable Recovery company, I said trustworthy and reliable because many scammers are out there disguising as Recovery agents and will only take your money without recovering your bitcoin, I was a victim of such myself after loosing my bitcoin to an investment scam I sort for help and I met few recovery agents and was scammed by a particular one again. Luckily for me I was referred to a company on telegram. You can send a complaint mail to fightingscams(@)AOL{.}com, he should be able to help you. They Recovered my stolen bitcoin after risking a token to their Recovery program. It was worth it at the end.

    • I googled that email address and you have been spamming that blather on various forums and blogs since July 2018. You don’t provide a business address so your claim is bogus.

  18. I have thought that JackPair can solve the problem of vishing (voice phishing), but a.) it is about encryption, not about authentication, unless having JackPair works as authentication b.) currently it is not for sale (besides Kickstarter from 2014 and pre-order)

  19. Good work Brian. I like that comment from Duke about the IT Director ,people were just be compliant witout asking a question..No wits here just as smart as the IT director too.LOL

  20. Seriously do people expect the company who sells you a domain for $5 to do a proper job. hahaha.!

  21. No matter how strong your internal security infrastructure is, the wetware will always be the weakest point of entry. This is proven over and over again by reports such as these. I can have the best corporate firewall in the industry, and if some untrained yahoo gives away the keys to the kingdom, I might as well save my money and hardwire directly into the world wide web…

  22. Seriously do people expect the company who sells you a domain for $5 to do a proper job.

  23. GoDaddy has security protocols and systems in place.

    Exactly like crack whores in West Baltimore have ‘standards’ for the clients they’ll accept.

  24. Interestingly, a day ago, I received a domain suspension warning from GoDaddy for a domain I was using to test the Bitamp open source project. First they claimed I had violated their Universal TOS and had malicious content and simply gave me the domain name as an example of the content. When I told them it was a test site and I installed it, they then claimed that I was purporting to officially represent Bitamp and that I need to have someone from Bitamp contact them with “proof of association” within 48 hours.

    I have made zero changes to their open source project and actually forgot I even had installed it on the domain in question. It’s licensed under MIT. These emails are coming from their Digital Crimes Unit. Are they seriously this incompetent that they don’t know what open source is? Are they going to start going after anyone who uses WordPress and leaves the “Powered by” footer?

    • The short version is that GoDaddy is a mafia.

      The longer version is that they stole my domains.
      Basically, they said somebody was attacking them from my domains. Problem was domains were parked at the time. So, I countered the alleged attack happened from their network. Anyhow, their solution was to delete my domains, instead of pointing them to 127.0.0.1 so traffic didn’t go their way. After that, they requested me to pay $100 per domain to recover them. When I told it was their decision to delete not mine and they should pay for the recovery, they cut communication. When I pushed some more and warned them I will take it to BBB, ICANN, etc. They deleted my account and refund my domains annual fee. I still waiting for the day they will fall and go extinct. It’s a POS company.

  25. I feel this is among the such a lot vital information for me.

    And i’m glad reading your article. However wanna observation on some basic
    issues, The web site style is perfect, the articles is
    in point of fact great : D. Excellent task, cheers

  26. I can let you know how they used my iPhone to do it…Share the Prize 50/50..

Leave a comment