Fraudsters have redirected emails and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at Come on daddy, the world’s largest domain name registrar, KrebsOnSecurity has learned.
The incident is the latest foray into GoDaddy to trick employees into transferring ownership and / or control of targeted domains to scammers. In March, a voice phishing scam targeting GoDaddy support workers allowed attackers to gain control of at least half a dozen domain names, including the escrow.com transaction brokerage site.
And in May of this year, GoDaddy revealed that 28,000 of its customers’ web hosting accounts had been compromised following a security incident in October 2019 that was not discovered until April 2020.
This latest campaign appears to have started on or around November 13, with an attack on the cryptocurrency trading platform. liquid.com.
“A ‘GoDaddy’ domain hosting provider that manages one of our major domain names has falsely transferred account and domain control to a malicious actor,” Managing Director of Liquid Kayamori said in a blog post. “This gave the actor the ability to change DNS records and, in turn, take control of a number of internal email accounts. In due time, the malicious actor was able to partially compromise our infrastructure and gain access to document storage. “
In the early morning hours of November 18 Central European Time (CET), crypto mining service NiceHash discovered that some of the settings in their domain registration records at GoDaddy had been changed without permission, briefly redirecting e-mail and web traffic for the site. NiceHash froze all customer funds for approximately 24 hours until it could verify that its domain settings had been restored to their original settings.
“At the moment, it appears that no email, password or personal data has been viewed, but we suggest you reset your password and enable 2FA security,” the company wrote. in a blog post.
NiceHash founder Matjaz Skorjanc said the unauthorized changes were made from an internet address at GoDaddy, and attackers attempted to use their access to his inbound NiceHash emails to perform resets password on various third-party services, including Soft and Github. But he said GoDaddy was unreachable at the time because it was experiencing a widespread system outage in which the phone and email systems were unresponsive.
“We detected it almost immediately [and] started to tone down [the] attack, ”Skorjanc said in an email to this author. “Fortunately, we fought them well and they didn’t have access to any important service. Nothing was stolen.
Skorjanc said NiceHash’s email service was redirected to privateemail.com, an email platform operated by Namecheap Inc., another large domain name registrar. Using Farsight Security, a service that maps changes to domain name records over time, KrebsOnSecurity instructed the service to display all domains registered with GoDaddy that had undergone changes to their email records. over the past week, which led them to privateemail.com. These results were then indexed on the 1 million most popular websites according to Alexa.com.
The result shows that several other cryptocurrency platforms may also have been targeted by the same group, including Bibox.com, Celsius.network, and Wirex.app. None of these companies responded to requests for comment.
In response to questions from KrebsOnSecurity, GoDaddy acknowledged that a “small number” of customer domain names were changed after a “limited” number of GoDaddy employees fell into a social engineering scam. GoDaddy said the outage between 7:00 p.m. and 11:00 p.m. PST on November 17 was not related to a security incident, but rather a technical issue that materialized during scheduled network maintenance.
“Separately and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and / or account information,” GoDaddy spokesperson Dan Race said. “Our security team has investigated and confirmed the activity of threat actors, including the social engineering of a limited number of GoDaddy employees.“
“We immediately locked down the accounts involved in this incident, rolled back all changes to the accounts and helped affected customers regain access to their accounts,” the GoDaddy statement continued. “As threat actors become more sophisticated and aggressive in their attacks, we are constantly educating employees on new tactics that could be used against them and adopting new security measures to prevent future attacks.”
Race declined to comment on how its employees were tricked into making the unauthorized changes, saying the matter was still under investigation. But in the earlier-year attacks that affected escrow.com and several other GoDaddy customer domains, attackers targeted employees over the phone and were able to read internal notes that GoDaddy employees left on customer accounts.
Additionally, the attack on escrow.com redirected the site to an internet address in Malaysia that hosted less than a dozen other domains, including the phishing website. servicenow-godaddy.com. This suggests that the attackers behind the March incident – and possibly the latter – were successful in calling GoDaddy employees and convincing them to use their employee credentials on a page. fraudulent GoDaddy login.
In August 2020, KrebsOnSecurity warned of a marked increase in the number of large companies targeted in sophisticated voice phishing or “vishing” scams. Experts say the success of these scams has been greatly facilitated by many employees working remotely thanks to the ongoing coronavirus pandemic.
A typical vishing scam begins with a series of phone calls to employees working remotely in a targeted organization. Phishers often explain that they are calling from the employer’s IT department to help resolve issues with the company’s email or virtual private network (VPN) technology.
The goal is to convince the target to divulge their credentials over the phone or enter them manually on a website set up by the attackers that mimics corporate email or the organization’s VPN portal.
On July 15, a number of high profile Twitter accounts were used to tweet about a Bitcoin scam that grossed over $ 100,000 in a matter of hours. According to Twitter, this attack was successful because the perpetrators were able to trick several Twitter employees over the phone into giving access to internal Twitter tools.
An alert issued jointly by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) claims that the perpetrators of these vishing attacks are compiling employee records at their targeted companies using mass scraping of public profiles on social media platforms, recruiting and marketing tools, auditing services publicly available track record and open source research.
The FBI / CISA advisory includes a number of suggestions companies can implement to help mitigate the threat of vishing attacks, including:
• Restrict VPN connections to managed devices only, using mechanisms such as hardware checks or installed certificates, so that user input alone is not enough to access the corporate VPN.
• Limit VPN access hours, if applicable, to limit access outside of authorized hours.
• Use domain monitoring to track creation or changes to corporate brand domains.
• Actively scan and monitor web applications for unauthorized access, changes, and abnormal activity.
• Employ the principle of least privilege and implement software restriction policies or other controls; monitor the access and use of authorized users.
• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before you can discuss sensitive information.
• Improve 2FA and OTP messaging to reduce confusion over employee authentication attempts.
• Check that the web links are not misspelled or contain the wrong domain.
• Bookmark the correct corporate VPN URL and do not visit other URLs based on an incoming phone call alone.
• Beware of unsolicited phone calls, visits, or e-mail messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of someone’s authority to have such information. If possible, try to verify the caller ID directly with the company.
• If you receive a vishing call, document the caller’s phone number as well as the domain the actor attempted to send you to and pass this information on to law enforcement.
• Limit the amount of personal information you post on social networking sites. The Internet is a public resource; only post information that you are comfortable with to anyone who sees it.
• Evaluate your settings: Sites can change their options periodically. So check your security and privacy settings regularly to make sure your choices are still appropriate.
Tags: Bibox, Celcius.network, Dan Race, Farsight Security, GitHub, GoDaddy, Namecheap, phishing, privateemail.com, Slack, vishing, Wirex.app