GoDaddy Employees Tricked, And Gave Hackers Access To Cryptocurrency Domains

21/11/2020

Social engineering attack is a method to make people perform certain actions through psychological manipulation. In a hack attempt, social engineering is often used to make the target share confidential information or give system access.

And here, GoDaddy, the American publicly traded internet domain registrar and web hosting company, had its employees fell for such attack.

According to a report from KrebsOnSecurity, fraudsters managed to trick GoDaddy employees into handing the ownership or control of multiple cryptocurrency services’ web domains.

This inadvertently aid the fraudsters in their hack attacks that brought some of those websites down.

Cryptocurrency exchange Liquid, hash power broker NiceHash and digital payment platform Wirex, among others, have had their DNS records altered by the hackers.

A GoDaddy spokesperson confirmed this, saying that a “limited number” of its employees had fallen victim to “social engineering” attacks that allowed the intruders make unauthorized changes to domains and accounts.

GoDaddy roundabout

The attack is said that have happened on November 13.

Liquid claims that a malicious actor managed to access its client’s personal information on November 18.

“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” said Liquid CEO Mike Kayamori in a blog post.

“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

Shortly after, NiceHash also reported problems.

On November 18, it was said that some settings at NiceHash's GoDaddy’s domain registry records had been changed without permission. The situation led to a brief redirection of email and web traffic away from the website.

To prevent leaks, NiceHash froze all of its clients' funds immediately for 24 hours to prevent the hackers from stealing funds and verify restoration to their original domain settings. The company advised its clients to change their passwords and enable two-factor authentication security.

“At this moment in time, it looks like no emails, passwords, or any personal data were accessed, but we do suggest resetting your password and activate 2FA security,” the company wrote in a blog post.

It was back in August 2020, that KrebsOnSecurity warned about an increase in large corporations being targeted in sophisticated voice phishing or “vishing” scams. The experts said that the success of these social engineering trick has been aided greatly by many employees working remotely due to the 'COVID-19' coronavirus pandemic.

Typically, this kind of scam begins with a series phone calls between the fraudster and the employees. The fraudster will often explain that they're calling from their employer's IT department to troubleshoot certain issues within the company's email or Virtual Private Network.

The goal is to convince the target employees to either divulge their credentials over the phone or to input them manually at a website previously set up by the fraudsters that mimics the company's corporate email or VPN portal.

When GoDaddy realized this issue, the company responded by reverting the changes, locking down accounts and helping victims regain access.

And following this incident, GoDaddy said that it would focus on training its employees to prevent similar incidents in the future.

GoDaddy stated that as threats become more sophisticated and aggressive, the company wants to continue training its staff on new tactics to use against them.

The company also said that it's implement new security measures to prevent future episodes.