Crooks social-engineer GoDaddy staff into handing over control of crypto-biz domain names

Web traffic, email redirected, personal info exposed in DNS hijacking


Miscreants were able to hijack traffic and email destined for various cryptocurrency-related websites this month – by hoodwinking GoDaddy employees.

Using social engineering tricks, the hackers were able to change the DNS settings of their victims' domain names, redirecting connections and mail to their own servers. GoDaddy, the world's biggest domain-name registrar, confirmed "a small number of customer domains and/or account information" were altered after "a limited number of GoDaddy employees" were duped.

Those customers included cryptocurrency-trading site Liquid, which last week said: "On the 13th of November 2020, a domain hosting provider, GoDaddy, that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor.

"This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage."

This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts

It is feared the crooks were able to access Liquid's user database, which contains personal information such as email addresses, names, addresses and "encrypted passwords." The miscreants may even have been able to exfiltrate people's proof of identity and address, and pictures, we're told.

Another GoDaddy customer hit by the fraudsters was crypto-mining outfit NiceHash, which last week said "as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed." Attempts to take back control of their systems were hampered by an unrelated outage GoDaddy was suffering at the time.

GoDaddy declined to explain exactly how the hijackings occurred nor share any details on how it will prevent such a thing from happening again. We're told the changes have been reversed. In a statement to The Register today, a spokesperson for the web giant said:

A routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information. Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.

We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts.

As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.

GoDaddy is committed to protecting our customers’ data and the security of our infrastructure, and our teams are vigilantly monitoring for attacks and potential vulnerabilities.

In March, various websites were briefly vandalized after a GoDaddy customer service rep was spear-phished by a miscreant, and in May, it emerged nearly 30,000 SSH logins were harvested by hackers, said infosec blogger Brian Krebs, who first reported this latest kerfuffle. ®


Biting the hand that feeds IT © 1998–2021