Multiple cryptocurrency services – Godaddy employees used in attacks on security crabs


Fraudsters redirected email and web traffic to several cryptocurrency trading platforms in the past week. The attacks were facilitated by scams targeting employees GoDaddy, The world’s largest domain name registrar, Krebsen Security learned.

The incident is the latest attack on GoDaddy that relies on fraudsters to transfer ownership of fake employees and / or control the targeted domains. In March, GoDaddy support employees were allowed to take control of at least half a dozen domain names, including the transaction brokerage site Escrow.com, through a voice-phishing scam.

And in May of this year, GoDaddy announced that it had Oct Ktoo in the web hosting accounts of 28,000 customers. The settlement was reached after the 2019 security incident, which was not found until April 2020.

The latest campaign appears to have started on or around November 13 with an attack on cryptocurrency trading platforms Liquid.com.

“GoDaddy, a domain hosting provider that manages one of our main domain names incorrectly transfers account and domain control to a malicious actor.” Liquid CEO Mike Kayamori Said in a blog post. “This gives the actor the ability to change DNS records and, in turn, take control of a number of internal email accounts. Of course, the malicious actor was able to partially compromise our infrastructure and gain access to document storage. “

November of Central European Time (CET). On the early morning of the 18th, Cyptocurrency Mining Service discovered that some of the settings for its domain registration records on GoDaddy were changed without permission, shortly redirecting email and web traffic to the site. NiceHash freezes all customer funds for about 24 hours until it is able to verify that its domain settings have been changed back to their original settings.

“At the moment, it looks like no emails, passwords or any personal data has been accessed, but we suggest resetting your password and enabling 2FA security,” the company wrote in a blog post. Is.

Matthias Scorz, founder of NiceHash, said unauthorized changes were made to the Internet address at Goddard, and that the attackers tried to use Nice Hash’s emails access to reset passwords on various third-party services. Slack And Githab. But he said it was impossible to reach GoDaddy at the time because it was going through a widespread system outage in which phone and email systems were unresponsive.

“It simply came to our notice then [and] Began to decrease [the] Attack, “Scorjank said in an email to the author. “Fortunately, we fought them well and they did not get any significant service. Nothing was stolen. “

Scorjanch said Naishah’s email service has been redirected privateemail.com, Namechap Inc. One email platform powered by, another large domain name registrar. Using Farsite Security, a service that modifies domain name records over time, Krebsen Security instructed to show all domains registered on Goddard that had modified their email records pointing them to privatemail.com. Those results were indexed against the top one million most popular websites, according to Alexa.com.

The results show that many other cryptocurrency platforms can also be targeted by the same group, including biboxx.com, Celsius.com and Virus.app. None of these companies responded to requests for comment.

In response to questions from Krebs SN Security, GoDaddy acknowledged that a “limited number” of customer domain names had changed after a “limited” number of GoDaddy employees fell into the social engineering scandal. Goddard said the outbreak during the period from 7:00 pm to 11:00 pm on November 17 was not related to a security incident, but was a technical issue that occurred during planned network maintenance.

“Different and not related to outages, regular audit of account activity has identified potential unauthorized changes in the number of customers’ small domains and / or account information,” Dan Race Said. “Our security team investigated and confirmed the activity of the threatening actor, including the social engineering of a limited number of GoDaddy employees.

“We immediately locked the accounts involved in the incident, reversed any changes to the accounts, and helped the affected customers regain access to their accounts,” Godddy’s statement continues. “As the threatening actors become more civilized and aggressive in their attacks, we are constantly educating employees about the new tactics being used against them and adopting new security measures to prevent future attacks.”

He declined to mention how his employees were caught making unauthorized changes, saying the race was still under investigation. But in attacks earlier this year that affected Escrow.com and many other Goddard customer domains, the attackers targeted employees over the phone, and Goddard employees were able to read internal notes left on customers’ accounts.

Not only that, the attack on Escrow.com redirected the site to an Internet address in Malaysia that hosted less than a dozen other domains, including a phishing website. servicenow-godaddy.com. This indicates the attackers behind the March incident – and possibly this one of the most recent – succeeded by calling GoDaddy employees and convincing them to use their employee credentials on the fraudulent GoDaddy login page.

In August 2020, Krebs SN Security warned that there would be a targeted increase in sophisticated voice phishing or “wishing” scams in large corporations. Experts say the success of these scams has been helped by many employees working remotely due to the ongoing coronavirus epidemic.

A specific wishing scheme starts with a series of phone calls to employees working remotely in the target organization. Fisher will often explain that they are calling the employer’s IT department to troubleshoot problems with the company’s email or virtual private networking (VPN) technology.

The target is either to disclose their credentials over the phone or to manually input on a website set up by attackers copying the organization’s corporate email or VPN portal.

On July 15, several high-profile Twitter accounts were used to tweet the Bitcoin scam, which grossed over, 100,000 in just a few hours. According to Twitter, the attack was successful because criminals were able to give many Twitter employees access to internal Twitter tools to a social engineer over the phone.

A warning issued jointly by The FBI And Cybersecurity and Infrastructure Security Agency (CISA) says the perpetrators of these treacherous attacks have compiled dossiers on employees at their targeted companies using social media platforms, recruitment and marketing tools, publicly available background check services and large-scale scraping of public profiles on open source research.

The FBI / CISA advisory includes a number of suggestions that companies can implement to help reduce the risk of treason attacks, including:

Restrict VPN connections only on managed devices, using mechanisms such as managed hardware checks or installed certificates, so user input alone is not enough to access a corporate VPN.

To reduce m access beyond the allowed time, restrict VPN access access hours where applicable.

Implement domain monitoring to consider corporate corporate, brand-name domains being created, or modified.

Actively scan and monitor the web application for unauthorized access, modification and inconsistent activities.

Privile at least apply the principle of privilege and apply software software restriction policies or other restrictions; Monitor authorized user usage and usage.

Telephone Consider using a formal authentication process for employee-to-employee communication on a public telephone network where another factor is used.
Verify the phone call before sensitive information can be discussed.

2 Improve FA and OTP messaging to reduce confusion about employee authentication efforts.

Verify ify Web links do not contain misspellings or domains.

Corporate Bookmark the correct corporate VPN URL and do not visit the alternate URL on the sole basis of inbound phone calls.

A Suspect unsolicited phone calls, visits or email messages from strangers claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its composition or networks, unless you are convinced of an individual’s right to your information. If possible, try to verify the identity of the caller directly with the company.

If you receive a specific call, document the caller’s phone number as well as the domain the actor tried to send you and relay this information for law enforcement.

Social Limit the amount of personal information you post on social networking sites. The Internet is a public resource; Only the information of the post that you are comfortable with.

Evaluate your settings: Sites may change their options from time to time, so regularly review your security and privacy settings to make sure your choices are still appropriate.

Tags: Bebox, Celsius Dotwork, Dan Race, Farsite Security, GitHub, Goddy, NameChap, Phishing, PrivateEmail.com, Slack, Wishing, Virus.App

This entry was posted on Saturday, November 21st, 2020 at 1:15 pm and is filed under Little Sunshine, Web Fraud 2.0. You can follow any comments for this login via the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.