Fraud redirected email and web traffic destined for multiple cryptocurrency trading platforms over the past week. The attacks were eased by fraud targeting employees Come on, Dad, the world’s largest domain name registrar, KrebsOnSecurity has learned.
The incident is the latest intrusion by GoDaddy, which claimed to be tricking employees into transferring ownership and / or control of targeted domains to scammers. In March, a phishing scam targeting GoDaddy support staff allowed attackers to take control of at least half a dozen domain names, including transaction broker website escrow.com.
And in May of this year, GoDaddy revealed that 28,000 of its customers̵
This latest campaign appears to have started on November 13 with or an attack on the cryptocurrency trading platform liquid.com.
“A domain hosting provider ‘GoDaddy’ who manages one of our core domain names transferred incorrect control of the account and the domain to a malicious actor,” Liquid CEO Mike Kayamori said in a blog post. “This gave the actor the ability to change DNS records and again take control of a number of internal email accounts. Over time, the malicious actor was able to partially compromise our infrastructure and gain access to document storage. ”
In the early morning hours of November 18 Central European Time (CET), cryptocurrency mining company NiceHash discovered that some of the settings for its domain registration records at GoDaddy were changed without permission, which briefly redirected email and web traffic to the site. NiceHash froze all customer funds for approximately 24 hours until it was able to verify that its domain settings had been changed back to their original settings.
“At this time, it appears that no emails, passwords, or personal data were accessed, but we suggest that you reset your password and enable 2FA security,” the company wrote in a blog post.
NiceHash founder Matjaz Skorjanc said the unauthorized changes were made from an Internet address at GoDaddy and that the attackers were trying to use their access to the incoming NiceHash emails to perform password reset on various third-party services, including Loose and Github. But he said GoDaddy was impossible to reach at the time because it was undergoing a major system crash where phone and email systems did not respond.
“It simply came to our notice then [and] began to mitigate [the] attack, ”Skorjanc said in an email to this author. “Fortunately, we fought them well and they did not get access to any important service. Nothing was stolen. ”
Skorjanc said NiceHash’s email service was redirected to privateemail.com, an email platform operated by Namecheap Inc., another major domain name registrar. Using Farsight Security, a service that maps changes to domain name records over time, KrebsOnSecurity instructed the service to show all domains registered with GoDaddy that had changes to their email records in the past week, pointing them to private email. com. These results were then indexed against the top one million most popular sites according to Alexa.com.
The result shows that several other cryptocurrency platforms may also have been targeted by the same group, including Bibox.com, Celsius.network, and Wirex.app. None of these companies responded to requests for comment.
In response to questions from KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had changed after a “limited” number of GoDaddy employees fell for a social engineering scam. GoDaddy said the outage between 6 p.m. 19:00 and at 23:00 PST on 17 November was not related to a security incident, but rather a technical issue that occurred during scheduled network maintenance.
“Separately and unrelated to the interruption, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and / or account information,” GoDaddy spokesman Dan Race said. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.”
“We immediately locked the accounts involved in this incident, reversed any changes made to the accounts, and helped affected customers regain access to their accounts,” GoDaddy’s statement continued. “As threat actors become more and more sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that can be used against them, and adopting new security measures to prevent future attacks.”
Race declined to specify how its employees were tricked into making the unauthorized changes, saying the case was still under investigation. But in the attacks earlier this year that affected escrow.com and several other GoDaddy customer domains, the attackers targeted employees over the phone and were able to read internal notes that GoDaddy employees had left on customer accounts.
What’s more, the attack on escrow.com redirected the site to an Internet address in Malaysia that hosted fewer than a dozen other domains, including the phishing site. servicenow-godaddy.com. This suggests that the attackers behind the March incident – and possibly the most recent – succeeded in calling GoDaddy employees and convincing them to use their employee credentials on a fake GoDaddy login page.
In August 2020, KrebsOnSecurity warned of a marked increase in large companies targeting sophisticated voice fishing or “vishing” scams. Experts say the success of these scams has been helped a lot by many employees working remotely thanks to the ongoing Coronavirus pandemic.
A typical vishing scam begins with a series of phone calls to employees working remotely in a targeted organization. Phishers often explain that they call from the employer’s IT department to help solve problems with the company’s email or VPN (virtual private networking) technology.
The goal is to convince the target to either pass on their credentials over the phone or enter them manually on a site created by the attackers that mimics the organization’s corporate email or VPN portal.
On July 15, a number of high-profile Twitter accounts were used to tweet a bitcoin scam that earned more than $ 100,000 in a matter of hours. According to Twitter, this attack was successful because the perpetrators were able to socially develop multiple Twitter employees over the phone to give away access to internal Twitter tools.
A warning issued jointly by FBI and Agency for Security and Infrastructure Security (CISA) says the perpetrators of these vishing attacks are preparing dossiers for employees of their targeted companies using mass scraping of public profiles on social media platforms, recruitment and marketing tools, publicly available background check services and open source research.
FBI / CISA advice includes a number of suggestions that companies can implement to help mitigate the threat of vishing attacks, including:
• Restrict VPN connections to managed devices only using mechanisms such as hardware checks or installed certificates, so that user input alone is not sufficient to access the enterprise VPN.
• Limit VPN access times, where applicable, to cease out-of-hours access.
• Use domain monitoring to track the creation of or changes to corporate domains.
• Scan and actively monitor web applications for unauthorized access, modification and abnormal activities.
• Use the principle of least privilege and implement software restriction policies or other controls; monitor authorized user access and use.
• Consider using a formalized approval process for employee-to-employee communications conducted over the public telephone network, where another factor is used to
approve the phone call before sensitive information can be discussed.
• Improve 2FA and OTP messages to reduce confusion around employee approval attempts.
• Verify that weblinks are not misspelled or contain the wrong domain.
• Bookmark the correct corporate VPN URL and do not visit alternate URLs based on an incoming phone call alone.
• Be suspicious of unsolicited phone calls, visits or emails from strangers claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or network, unless you are sure of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
• If you receive a vishing call, document the phone number of the caller, as well as the domain that the actor was trying to send you to, and pass this information on to the police.
• Limit the amount of personal information you post on social networking sites. The Internet is a public resource; Post only information you are familiar with that someone sees.
• Evaluate your settings: Websites may change their settings periodically, so review your security and privacy settings regularly to make sure your choices are still appropriate.
Tags: Bibox, Celcius.network, Dan Race, Farsight Security, GitHub, GoDaddy, Namecheap, phishing, privateemail.com, Slack, vishing, Wirex.app
This entry was posted on Saturday, November 21st, 2010 at 13:15 and is filed under A Little Sunshine, Web Fraud 2.0. You can follow any comments on this post through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.