Employees of GoDaddy, the world’s largest domain name registrar, accidentally helped hackers last week to redirect emails and web traffic of some targeted cryptocurrency websites, Krebs on Security reported.
“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Mike Kayamori said in a blog post.
“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage,” Kayamori added.
In NiceHash’s case, it discovered in the early hours of Nov. 18 Central European Time (CET), that some of the settings for its domain registration records at GoDaddy were changed without authorization, briefly redirecting email and web traffic for the site.
NiceHash froze all customer funds for about 24 hours until it was able to change back its domain settings to their original settings.
“At this moment in time, it looks like no emails, passwords, or any personal data were accessed, but we do suggest resetting your password and activate 2FA security,” the company wrote in a blog post.
Luckily, no personal info or other compromising data was stolen.
“We detected this almost immediately [and] started to mitigate [the] attack,” NiceHash founder Matjaz Skorjanc reportedly said. “Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen,” he added.
When contacted by KrebsOnSecurity, GoDaddy acknowledged the attack, but did not provide details about how its employees were deceived by the hackers. They said the matter is still under investigation.
“Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” GoDaddy spokesperson Dan Race told KrebsOnSecurity.
“Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees,” she said.
“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts,” GoDaddy’s statement continued. “As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.”
The incident is the latest cyber attack on GoDaddy where hackers regularly try to trick the employees into transferring ownership and/or control of targeted domains to them.
Back in March, GoDaddy suffered a large phishing scam. Several targeted domains came under hacker control. A voice phishing scam targeting GoDaddy support employees allowed the hackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com.
Also in May, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. 2019 that wasn’t discovered until April 2020.
To website owners, it is a good idea to always set up a two-factor authentication to protect your data.