Crooks social-engineered GoDaddy staff to take over crypto-biz domains

Crooks were able to trick GoDaddy staff into handing over control of crypto-biz domain names in a classic DNS hijacking attack.

Crooks were able to hijack traffic and email to various cryptocurrency-related websites as a result of a DNS hijacking attack on domains managed by GoDaddy. The threat actors were able to modify DNS settings by tricking GoDaddy employees into handing over the control of the targeted domains with social engineering attacks.

GoDaddy is the world’s biggest domain-name registrar and web hosting company. GoDaddy confirmed that threat actors deceived “a limited number of GoDaddy employees” and were able to alter “a small number of customer domains and/or account information.”

“On the 13th of November 2020, a domain hosting provider, GoDaddy, that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor.” states a security notice published by the company.

“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

Cyber criminals also targeted crypto-mining firm NiceHash with the same technique and successfully carried out a DNS hijacking attack. The hackers were able to modify the DNS records for the NiceHash.com domain and the company was forced to immediately frozen all wallet activity to secure all user’s funds.

At the time of this writing, GoDaddy did not provide details about the attacks that have happened.

“Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” GoDaddy spokesperson Dan Race said. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.”

“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts. As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.”

In May, GoDaddy notified its customers of a data breach, threat actors might have compromised their web hosting account credentials. The hosting provider submitted a data breach notice with the California Attorney General, it revealed that the intrusion took place in October 2019.

GoDaddy confirmed that is still investigating the series of recent attacks.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, DNS hijacking)

The post Crooks social-engineered GoDaddy staff to take over crypto-biz domains appeared first on Security Affairs.