[German]Hoster GoDaddy has now admitted to having been the victim of a cyber attack. The attackers managed to deceive GoDaddy employees who were active for Go Daddy as a domain name registrar. The fraudsters redirected email and web traffic for several crypto-money trading platforms to their own sites last week.
Advertising
Krebs on Security reports about the case in this article. This latest campaign appears to have started on or around November 13th with an attack on the crypto currency trading platform liquid.com. "The domain hosting provider 'GoDaddy', which manages one of our core domain names, mistakenly transferred control of the account and domain to a malicious player," Liquid CEO Mike Kayamori said in a blog post. "This gave the actor the ability to modify DNS records and in return take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure and gain access to the document store".
In the early morning hours of November 18, 2020 Central European Time (CET), the cyptocurrency mining service NiceHash discovered that some of the settings for its domain registry entries at GoDaddy had been changed without authorization. The actors and briefly redirected email and web traffic for the website. NiceHash froze all customer funds for approximately 24 hours until it verified that its domain settings had been restored to their original settings. "So far it looks like no email, passwords or personal information has been accessed, but we recommend resetting the password and enabling 2FA security," the company wrote in a blog post.
NiceHash founder Matjaz Skorjanc said that the unauthorized changes were made from an Internet address at GoDaddy. The attackers attempted to use their access to the incoming NiceHash emails to perform password resets on various third-party services, including Slack and Github. Matjaz Skorjanc said that GoDaddy was unavailable at the time because of a major system failure that prevented them from responding to phone calls and e-mail messages.
Several crypto currency platforms were probably targeted by the same group, including Bibox.com, Celsius.network and Wirex.app. None of these companies responded to requests from Brian Krebs. Only GoDaddy, in response to a request from KrebsOnSecurity, admitted that "a small number" of customer domain names had been changed after a "limited" number of GoDaddy employees had been taken in by a social engineering scam. Go Daddy said the outage between 7:00 p.m. and 11:00 p.m. PST on November 17th had nothing to do with a security incident, but rather a technical problem that occurred during scheduled network maintenance.
GoDaddy is actually constantly attracting attention due to security incidents in the hosting area. In Oct. 2019, for example, GoDaddy was the victim of a hack that apparently affected a several thousands users.
Advertising
