Hackers tricked GoDaddy Employees to attack multiple cryptocurrency trading platforms
Cyber hacking has become one of the fastest rising threats to organizations of all sizes. According to a study, the damage from cybercrime is projected to cost $6 trillion annually by 2021. Earlier this month, we wrote about Facebook after a data breach exposed massive phishing and credit card fraud operation targeting 100,000s Facebook users in just three months.
Facebook is not alone. Over the weekend, Brian Krebs at KrebsOnSecurity, wrote a piece about a recent attack on cryptocurrency services via GoDaddy, the world’s largest domain name registrar. The attack, which was launched through GoDaddy employees, is a reminder that no organization is immune to cyber hacking.
According to Krebs, the hackers pulled off the attack after they redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy. In at least two incidents, it appears that the hackers were able to either transfer a domain to another account and modify its nameservers or otherwise modify nameservers on the domain names. Krebs said:
The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com.
And in May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. 2019 that wasn’t discovered until April 2020. This latest campaign appears to have begun on or around Nov. 13, with an attack on cryptocurrency trading platform liquid.com.
“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Mike Kayamori said in a blog post. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
In the early morning hours of Nov. 18 Central European Time (CET), the cyptocurrency mining service NiceHash discovered that some of the settings for its domain registration records at GoDaddy were changed without authorization, briefly redirecting email and web traffic for the site.
NiceHash immediately froze all wallet activity to secure all user’s funds. The company said that “all funds are safe and users will get access to their wallets in the next 24 hours.” In a blog post, NiceHash said:
“To secure all user’s funds, we have immediately frozen all wallet activity. All funds are safe and users will get access to their wallets in the next 24 hours. NiceHash domain is now back online and all systems are fully operational with the exception of all withdrawals. Withdrawals will resume after the internal audit. At this moment in time, it looks like no emails, passwords, or any personal data were accessed but we do suggest resetting your password and activate 2FA security.”