The scammers have redirected email and web traffic destined for different cryptocurrency trading platforms in the past week. The attacks were facilitated by scams targeting employees a Go dad, the largest domain name registrar in the world, learned KrebsOnSecurity.
The incident is the latest foray into GoDaddy based on deceiving employees into transferring ownership and / or control over domains targeted by scammers. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to take control of at least half a dozen domain names, including the transaction brokerage site escrow.com.
And in May of this year, GoDaddy revealed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in October 2019 that wasn’t discovered until April 2020.
This latest campaign appears to have started around November 13, with an attack on the cryptocurrency trading platform liquid.com.
“A” GoDaddy “domain hosting provider who manages one of our primary domain names has incorrectly transferred control of the account and domain to an attacker”, Liquid Kayamori’s CEO he said in a blog post. “This gave the actor the ability to modify DNS records and, in turn, take control of a number of internal email accounts. In due course, the attacker was able to partially compromise our infrastructure and obtain access to document filing “.
In the early morning hours of November 18 Central European Time (CET), cryptocurrency mining service NiceHash discovered that some of the settings for its domain registration records on GoDaddy had been changed without permission, briefly redirecting email and web traffic for the site. NiceHash froze all customer funds for around 24 hours until it was able to verify that the domain settings had been reset to their original settings.
“At this time, it appears that no email, password or personal data has been accessed, but we suggest resetting the password and activating 2FA security,” the company wrote in a blog post.
NiceHash founder Matjaz Skorjanc said the unauthorized changes were made from an internet address on GoDaddy and that attackers tried to use their login to his incoming NiceHash emails to perform password reset on various services third parties, including Slack is Github. But he said GoDaddy was impossible to reach at the time because it was experiencing a widespread system outage where phone and email systems were not responding.
“We detected it almost immediately [and] started to mitigate [the] attack, “Skorjanc said in an e-mail to this author.” Luckily we defeated them well and they had no access to any important services. Nothing was stolen. “
Skorjanc said NiceHash’s email service was redirected to privateemail.com, an email platform operated by Namecheap Inc., another large domain name registrar. Using Farsight Security, a service that maps domain name record changes over time, KrebsOnSecurity commissioned the service to show all domains registered on GoDaddy that had alterations to their email records in the last week that directed them to privateemail.com. These results were then indexed against the top million most popular websites according to Alexa.com.
The result shows that many other cryptocurrency platforms may also have been targeted by the same group, including Bibox.com, Celsius.network and Wirex.app. None of these companies responded to requests for comment.
In response to KrebsOnSecurity’s questions, GoDaddy acknowledged that “a small number” of customer domain names had been changed after a “limited” number of GoDaddy employees fell for a social engineering scam. GoDaddy said the outage between 7pm and 11pm PST on Nov 17 was not related to a security incident, but rather a glitch that occurred during scheduled network maintenance.
“Separately and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a limited number of customer domains and / or account information,” GoDaddy spokesperson Dan Race She said. “Our security team investigated and confirmed the activity of threat actors, including social engineering of a limited number of GoDaddy employees.“
“We immediately blocked the accounts involved in this incident, reversed the changes made to the accounts, and helped interested customers regain access to their accounts,” the GoDaddy statement continued. “As threat actors become more sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that could be used against them and take new security measures to prevent future attacks.”
Race declined to specify how its employees were induced to make unauthorized changes, saying the matter was still under investigation. But in the attacks earlier this year that hit escrow.com and several other GoDaddy customer domains, the attackers targeted employees over the phone and were able to read inside notes that GoDaddy employees they had left on customer accounts.
Additionally, the attack on escrow.com redirected the site to an Internet address in Malaysia that hosted less than a dozen other domains, including the phishing site. servicenow-godaddy.com. This suggests that the attackers behind the March incident – and possibly the latter – managed to call GoDaddy employees and persuade them to use their employee credentials on a fraudulent GoDaddy login page.
In August 2020, KrebsOnSecurity warned of a marked increase in large companies being targeted in sophisticated voice phishing or “vishing” scams. Experts say the success of these scams has been greatly helped by many remote employees thanks to the ongoing Coronavirus pandemic.
A typical vishing scam begins with a series of phone calls to employees working remotely at a targeted organization. Phishers often explain that they are calling from the employer’s IT department to help troubleshoot issues with company email or Virtual Private Network (VPN) technology.
The goal is to convince the target to divulge their credentials over the phone or manually enter them on a website set up by attackers that mimics corporate email or the organization’s VPN portal.
On July 15, a series of high-profile Twitter accounts were used to tweet a bitcoin scam that made more than $ 100,000 in hours. According to Twitter, that attack was successful because the perpetrators were able to socially design several Twitter employees over the phone to give access to internal Twitter tools.
A notice issued jointly by FBI and the Cybersecurity and Infrastructure Security Agency (CISA) says that the perpetrators of these vishing attacks compile dossiers on employees of target companies using mass scraping of public profiles on social media platforms, recruiting and marketing tools, publicly available background checking services and open source research .
The FBI / CISA advisory includes a number of tips businesses can implement to help mitigate the threat from vishing attacks, including:
• Restrict VPN connections to managed devices only, using mechanisms such as hardware checks or certificates installed, so that user input alone is not enough to access the corporate VPN.
• Limit VPN access times, where applicable, to mitigate access outside permitted hours.
• Employ domain monitoring to track creation or changes to corporate or brand domains.
• It actively analyzes and monitors web applications for unauthorized access, modifications and anomalous activity.
• Use the principle of least privilege and implement software restriction policies or other controls; monitor the access and use of authorized users.
• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.
• Improves 2FA and OTP messaging to reduce confusion about employee authentication attempts.
• Verify that web links are not misspelled or contain the wrong domain.
• Bookmark the correct corporate VPN URL and do not visit alternative URLs based on an incoming phone call alone.
• Be wary of unsolicited phone calls, visits, or e-mails from unknown people claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the identity of the caller directly with the company.
• If you receive a vishing call, document the caller’s phone number and the domain the plaintiff attempted to send you to and forward this information to law enforcement.
• Limit the amount of personal information you post on social networking sites. The Internet is a public resource; only post information that you feel comfortable with whoever sees.
• Evaluate your settings: Sites may change their options periodically, so regularly review your security and privacy settings to make sure your choices are still appropriate.
Tags: Bibox, Celcius.network, Dan Race, Farsight Security, GitHub, GoDaddy, Namecheap, phishing, privateemail.com, Slack, vishing, Wirex.app
