GoDaddy Employees Tricked into Compromising Cryptocurrency Sites

data breach

‘Vishing’ attack on GoDaddy employees gave fraudsters access to cryptocurrency service domains NiceHash, Liquid.

A recent social-engineering “vishing” attack on domain registrar GoDaddy temporarily handed over control of cryptocurrency service sites NiceHash and Liquid to fraudsters, exposing personal information of users.

Vishing is a phishing scam that uses voice interactions over the phone to gain trust with victims and fool them into handing over their credentials. Both sites, as well as GoDaddy itself, have since recovered from the compromise.

On Nov. 18, Liquid’s CEO Mike Kayamori announced the breach to its systems.

“On the 13th of November 2020, a domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Kayamori’s statement said. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

The statement went on to explain Liquid was able to regain control of the domain and confirm that all of its clients’ funds were still accounted for. However, the company said the malicious actor was able to access customer emails, names, addresses and encrypted passwords.

“We are continuing to investigate whether the malicious actor also obtained access to personal documents provided for KYC such as ID, selfie and proof of address, and will provide an update once the investigation has concluded,” Liquid’s statement said.

Similarly, NiceHash announced that during the early hours of Nov. 18 its site went down because “domain registrar GoDaddy had technical issues and as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed.”

Unlike Liquid, NiceHash said that it does not appear any customer data was compromised and suggested enabling two-factor authentication to boost security protections.

Liquid and NiceHash did not immediately respond to Threatpost’s request for comment.

GoDaddy Under Fire

GoDaddy spokesman Dan Race confirmed the breach in an emailed statement to Threatpost.com.

“A routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” the statement read. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.”

In what the company said is simply a coincidence, on Nov. 17, GoDaddy also experienced a systemwide outage, including its home site. The company however said that outage was a result of “an error encountered during planned network maintenance,” Domain Name Wire reported.

Security researcher Brian Krebs reported that he was able to use Fairsight Security to find domain name changes across GoDaddy over the past week and that he found similar cryptocurrency sites Bibox, Clecius.network and Wirex.app might have also been targeted. he added that none of those companies has said anything about a possible breach.

GoDaddy has been struggling over the past year with vishing and other attacks. In March, a GoDaddy customer service employee was fooled into giving malicious actors access to domain settings for several customers, Krebs on Security reported, adding that the domain registrar also disclosed in May, 28,000 customer accounts were compromised in Oct. 2019, although it wasn’t discovered until April 2020.

GoDaddy’s Race told Threatpost the domain takeovers of Liquid and NiceHash are unrelated to either the Nov. 17 systemwide outage or any of the previous breaches.

How Vishing Works

Vishing attacks have been an increasing threat since the pandemic sent workers home to access data through corporate virtual private networks, according to an August joint statement from the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). It explained attackers were observed ramping up vishing techniques starting in July.

In a typical vishing attempt, a scammer will first scrape public profiles of targeted employees to assemble an arsenal of personal information, then they start making calls.

Threat actors will call their targets, posing as the company’s IT department, and use the gathered dossier of information to gain the victim’s trust. Then, the unwitting employee is sent a spoofed VPN page, asking them to enter their credentials. Once they’ve been entered the scammers have real-time access to corporate accounts.

“In some cases, unsuspecting employees approved the 2FA or one-time-password (OTP) prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator,” the alert said. “In other cases, attackers have used a SIM-swap attack on the employees to bypass 2FA and OTP authentication. The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed.”

The alert recommended restricting VPN connections, employ domain monitoring, monitor authorized user access and improve employee communications and messaging around 2FA and OTP.

Mitigating Vishing Attacks

“We and our gullibility remain the weakest link,” Setu Kulkarni, vice president of strategy at WhiteHat security told Threatpost. “While we can do all we need to secure the digital chain of custody (identity, endpoint, device and data) just a mere phone call with scant information and a trust-invoking voice can breach the most secure systems. What’s more worrisome is that once the adversaries get login information to the domain registrar’s console, they are able to make changes to the domain settings. This is a combination of gullibility and inadequate controls.”

Adequate controls, according to director of security solutions at Lookout Chris Hazelton, must include a strategy to protect employee mobile devices with modern endpoint protection, he told Threatpost.

But fundamentally, combating social engineering attacks starts with employee training and diligence at all levels of the organization.

“Everyone (literally EVERYONE) is susceptible to social engineering – even employees at technology companies, and even technically skilled employees.,” MediaPro chief strategy officer Lisa Plaggemier told Threatpost. “It’s really about teaching employees to have healthy skepticism, and making that culturally acceptable, even encourage, in your organization.  With all the emphasis on speed and getting things done, employees often get the message that there isn’t time to slow down just enough to make sure the person calling you really is who they say they are, or that the email or text really is coming from the person you think it is.”

 

 

Suggested articles