GoDaddy staff fall prey to social engineering scam in cryptocurrency exchange attack wave
GoDaddy employees were exploited to facilitate attacks on multiple cryptocurrency exchanges through social engineering and phishing.
Staff at the domain name registrar were subject to a social engineering scam that duped them into changing email and registration records, used to conduct attacks on other organizations.
As reported by security expert Brian Krebs last week, GoDaddy confirmed that the scam led to a “small number” of customer domain names being ‘modified” earlier this month.
Starting in mid-November, fraudsters ensured that email and web traffic intended for cryptocurrency exchanges was redirected. Liquid.com and the NiceHash cryptocurrency trading posts were impacted, and it is suspected that other exchanges may also have been affected.
According to Liquid CEO Mike Kayamori, a security incident on November 13 was caused by GoDaddy incorrectly transferring control of an account related to the firm’s core domain names.
“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts,” Kayamori said in a blog post. “In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
Liquid.com contained the attack after discovery, and while the attacker may have accessed user emails, names, addresses, and encrypted passwords, client funds were accounted for.
In NiceHash’s case, the company blamed “technical issues” at GoDaddy resulting in “unauthorized access” to domain settings, leading to the DNS records for nicehash.com being changed.
This attack occurred on November 18. NiceHash responded quickly, freezing all wallet activity to prevent any loss of user cryptocurrency. Withdrawals were suspended for 24 hours while an internal audit took place and normal service has since resumed.
NiceHash says that it does not look like user information was exposed or compromised, but urges caution if users receive links or suspicious emails claiming to be from the cryptocurrency exchange.
The company also recommended that users change their passwords and enable two-factor authentication (2FA) to be on the safe side.
Speaking to Krebs, NiceHash founder Matjaz Skorjanc added that the attackers attempted to force password resets on third-party services, including Slack, but NiceHash was able to fend off these attempts.
A GoDaddy spokesperson said the domain registrar “immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts.”
The spokesperson added that as “threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them.”
In May, GoDaddy reported a security breach in which an individual was able to access SSH accounts within the firm’s hosting infrastructure without permission. GoDaddy said there was no evidence of tampering that would impact customers, but security bolt-ons would be provided for a year, for free, to anyone affected.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0