Fraudsters Target Cryptocurrency Platforms Through GoDaddyGoDaddy Employees Reportedly Tricked by Social Engineering Techniques
This story has been updated.
Last week, fraudsters targeted two cryptocurrency platforms by accessing domains managed by GoDaddy, according to notices published by the victimized firms. The domain register company previously has had issues with unauthorized access.
The fraudsters gained access to the platforms by using social engineering techniques to trick GoDaddy employees into temporarily transferring control over the domains to the malicious actors, a company spokesperson confirms to Information Security Media Group. The attacks affected only a "limited" number of accounts, and the firm is taking steps to address the issue, the spokesperson adds.
"As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks."
Mike Kayamori, CEO of Liquid, a cryptocurrency trading platform, posted a blog Wednesday describing an incident that happened earlier this month involving a company domain managed by GoDaddy.
"On the 13th of November 2020, domain hosting provider 'GoDaddy' that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor," Kayamori says. "This gave the actor the ability to change DNS records and, in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure and gain access to document storage."
NiceHash, a cryptocurrency platform for mining and trading, reported in a blog post that another incident, which also happened on Wednesday, involved a GoDaddy-managed domain, which threat actors were able to access for a short time.
The GoDaddy spokesperson says that the company was affected by a technical issue earlier this week, which caused some issues. During an audit, the company found that fraudsters had gained access to a "limited" number of domains and accounts.
We are aware of an issue with logging into our workspace email at this time and are working as quickly as we can to resolve it. We appreciate your patience and apologize for any inconvenience this is causing. You can monitor the status of this issue at https://t.co/h5rF8OzbvG.— GoDaddy Help (@GoDaddyHelp) November 11, 2020
"Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information," the GoDaddy spokesperson says. "Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees."
Security blogger Brian Krebs first reported on the incident on Saturday.
Notifications Offer Details
Kayamori of Liquid says in his blog that the threat actors were able to gain access to the company's internal infrastructure, including files and data, but customers' cryptocurrency holdings and wallets were not affected.
"Having contained the attack, reasserted control of the domain and performed a comprehensive review of our infrastructure, we can confirm client funds are accounted for, and remain safe and secure," Kayamori says. "[Multiparty computation]-based and cold storage crypto wallets are secured and were not compromised."
Although cryptocurrency wallets were not affected, Kayamori notes that some data, including names, email and physical addresses, and encrypted passwords, may have been comprised. The company is urging its customers to reset passwords and apply two-factor authentication to their accounts.
NiceHash said in its notification: "The domain registrar GoDaddy had technical issues, and as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed. To secure all user's funds, we have immediately frozen all wallet activity."
The NiceHash notification says the company is undergoing an internal audit but does not believe any data or other information has been compromised. The firm is also urging its customers to reset passwords and apply two-factor authentication.
Avivah Litan, a vice president and distinguished analyst at Gartner Research, says cryptocurrency firms are susceptible to these types of attacks because the anonymous aspects of virtual currency make it more difficult for law enforcement agencies to track transactions. Platforms such as GoDaddy should rethink their approaches to providing security to these types of exchanges, she adds.
"Domain registrars like GoDaddy provide critical infrastructure for the internet, and as such must take great care to protect their operations and customers," Litan says. "Security controls like user and entity behavior analytics around all activity, time-limiting restrictive access for privileged users that are heavily monitored, hardware-based authentication and more must be utilized."
James Wester, a cryptocurrency specialist at the research firm IDC, noted that while virtual currencies, such as bitcoin, are fairly secure, it's usually third-party trading platforms that leave the owners of cryptocurrency open to these types of risks.
"More individual owners of cryptocurrencies are relying on third parties and exchanges to be the custodians of their holdings," Wester says. "That may make it more convenient or easier, but it also introduces more people into the equation. And if people are the weakest link in security, then using third parties introduces more weak links who can be exploited."
Earlier GoDaddy Incidents
In March, a GoDaddy employee was targeted with a spear-phishing attack, which resulted in hackers gaining access to some customer records and allowed the hackers to change DNS settings of some hosted sites, including Escrow.com, according to Krebs.
In a separate incident, GoDaddy in May confirmed that a data breach had affected about 28,000 of its customers' web hosting accounts. The security incident happened in October 2019, but it wasn't discovered until April. The company noted that an unauthorized person gained access to its network and accessed and altered an SSH file (see: GoDaddy Confirms Breach Affecting 28,000 Accounts: Report ).
The GoDaddy spokesperson tells ISMG that the recent issues with the cryptocurrency platform are not related to the previous two incidents.