Earlier this month, cybercriminals targeted GoDaddy customers to modify the DNS settings of at least two cryptocurrency websites, namely NiceHash and Liquid. There are reports that other cryptocurrency platforms Bibox.com, Celsius.network, and Wirex.app were also targeted by the same hacking group.
The attackers tricked GoDaddy employees into obtaining access to their customer accounts and could have possibly affected many of the company’s customers, including the above-mentioned crypto mining services.
A statement was released by the two affected services on November 18th stating that the attackers breached their internal systems after obtaining control of their accounts through tricking GoDaddy employees.
According to an announcement from Liquid’s CEO, Mike Kayamori, addressing crypto traders, their system was attacked on November 13th, and the attacker was able to change their DNS records and took charge of several internal email accounts to compromise its infrastructure.
The threat actor even managed to access document storage of the trading platform after successfully obtaining account access through their domain registrar GoDaddy.com.
“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor.”
Kayamori stated that immediately after detecting the attack, they took all the necessary steps to contain the attack, including reasserting the domain control and reviewing their infrastructure.
Furthermore, they implemented plans to mitigate the risk to customer accounts and prevent future attacks.
“We can confirm client funds are accounted for, and remain safe and secure. MPC-based and cold storage crypto wallets are secured and were not compromised,” Kayamori noted.
The other affected crypto service NiceHash stated that the service outage on November 18th resulted from the same issue with GoDaddy. The attackers gained unauthorized access to their domain settings and changed the DNS records for NiceHash.com.
“In the early morning (UTC) hours of November 18, 2020, the NiceHash domain was not reachable. The domain registrar GoDaddy had technical issues, and as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed”.
Furthermore, they froze all wallet activities for 24 hours and resumed services only after ensuring that funds were safe. However, they suspended withdrawals until the results of the incident’s internal audits arrive.
The company confirmed that there is no evidence that the attackers accessed personal data, emails, or passwords; however, they recommend users to reset their passwords and enable 2FA security.
According to GoDaddy, a small number of customers were impacted by this incident. The company didn’t share any information on how the threat actors were able to target its employees.
Brian Krebs from KrebsonSecurity assessed the incident and identified that the attackers utilized social engineering tactics to trap GoDaddy employees so that they transfer access to certain accounts. Krebs also discovered that almost all the targeted accounts’ emails were changed to privateemail.com.
GoDaddy and its easy to trick employees
This is not the first time when GoDaddy employees have been tricked into giving away sensitive information to cybercriminals. Earlier in April this year, a GoDaddy employee fell victim to a spearphishing attack leading to a compromise of their company account.
This allowed the attacker to access certain customer records allowing wide-scale manipulation of the settings for the domain names contained within those accounts. One of the major victims of the incident was internet escrow company Escrow.com whose homepage was defaced in the attack.