GoDaddy employees used in website attacks

Krebs on Security wrote about how GoDaddy employees were used in website attacks.

“Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the world’s largest domain name registrar, KrebsOnSecurity has learned.”

“The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters.”

“This latest campaign appears to have begun on or around Nov. 13, with an attack on cryptocurrency trading platform liquid.com.”

“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Mike Kayamori said in a blog post. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

“In response to questions from KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. GoDaddy said the outage between 7:00 p.m. and 11:00 p.m. PST on Nov. 17 was not related to a security incident, but rather a technical issue that materialized during planned network maintenance.”

“Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” GoDaddy spokesperson Dan Race said. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.

“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts,” GoDaddy’s statement continued. “As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.”

“Race declined to specify how its employees were tricked into making the unauthorized changes, saying the matter was still under investigation. But in the attacks earlier this year that affected escrow.com and several other GoDaddy customer domains, the assailants targeted employees over the phone, and were able to read internal notes that GoDaddy employees had left on customer accounts.”

Read more here.

Sold.Domains

About Konstantinos Zournas

Studied Computer Engineering and Computer Science in London, UK and now living in Athens, Greece. Love domains and building websites. Went online in 1995, learned about HTML in 1996 and about domains in 2002. Started publishing the OnlineDomain.com blog in 2012.

2 comments

  1. That’s a serious vulnerability. Yikes.

  2. I guess this is how a lot of names have been stolen.Expose the culprits.Hey Godaddy,why not give 24 hrs and contact through other means before taking any action.?I am sure liquid is renewed for a long time so Godaddy should spend more time talking and asking scammer questions on how they acquired the name and other questions I can’t give away here because a scammer will also be reading our comments..🚔

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.