Crooks social-engineer GoDaddy staff into handing over control of crypto-biz domain names

Miscreants were able to hijack traffic and email destined for various cryptocurrency-related websites this month – by hoodwinking GoDaddy employees.

Using social engineering tricks, the hackers were able to change the DNS settings of their victims’ domain names, redirecting connections and mail to their own servers. GoDaddy, the world’s biggest domain-name registrar, confirmed “a small number of customer domains and/or account information” were altered after “a limited number of GoDaddy employees” were duped.

Those customers included cryptocurrency-trading site Liquid, which last week said: “On the 13th of November 2020, a domain hosting provider, GoDaddy, that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor.

“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts

It is feared the crooks were able to access Liquid’s user database, which contains personal information such as email addresses, names, addresses and “encrypted passwords.” The miscreants may even have been able to exfiltrate people’s proof of identity and address, and pictures, we’re told.

Another GoDaddy customer hit by the fraudsters was crypto-mining outfit NiceHash, which last week said “as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed.” Attempts to take back control of their systems were hampered by an unrelated outage GoDaddy was suffering at the time.

GoDaddy declined to explain exactly how the hijackings occurred nor share any details on how it will prevent such a thing from happening again. We’re told the changes have been reversed. In a statement to The Register today, a spokesperson for the web giant said:

In March, various websites were briefly vandalized after a GoDaddy customer service rep was spear-phished by a miscreant, and in May, it emerged nearly 30,000 SSH logins were harvested by hackers, said infosec blogger Brian Krebs, who first reported this latest kerfuffle. ®

READ MORE HERE