In December last year, workers at hundreds of schools, universities, hospitals, media houses, subway stations, and community centres in the United States and Canada were forced to evacuate their premises and call law enforcement authorities after they received emails warning that bombs were planted in their premises.
The emails came from suspected criminals who asked all these organisations to pay $20,000 in bitcoin or else they would detonate bombs planted in their premises. A majority of these organisations are located in U.S. and Canadian states and cities such as New York, Massachusetts, Florida, Louisiana, Pennsylvania, California, Toronto, Nebraska, Mississippi, Utah, Michigan, Georgia, and North Carolina.
An in-depth investigation into the massive spam campaign that spread panic among U.S. and Canada-based organisations has revealed that the criminals used 78 domains owned by the likes of Expedia, Mozilla, Yelp and other organisations to send spam emails to dozens of organisations. However, what was common for all these domains was that they were initially registered with domain registrar GoDaddy and received domain-resolution service from the latter.
Spammers exploited a flaw in GoDaddy's DNS setup process
According to well-known anti-spam researcher Ron Guilmette, criminal spammers used over 4,000 domains to target organisations with malicious emails, threatening to bomb the latter if ransom wasn't paid. There domains were initially registered with GoDaddy and even though most of their registrations were renewed every year, such domains were still linked to DNS servers assigned to them by GoDaddy at the time of registration.
"When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain," explains KrebsOnSecurity.
The spammers who carried out the malicious email campaign in December took advantage of a crucial authentication vulnerability in GoDaddy's domain registration process. The vulnerability arises out of the fact that GoDaddy allows anyone to add a domain to their account without verifying whether the person requesting the same actually owns the domain or not.
So all the spammers had to do was to create a free account at GoDaddy that was assigned the same set of DNS servers that was assigned to another domain. Once such an account was created, they claimed ownership over the domain and requested GoDaddy to allow the sending of email within that domain from an Internet address they controlled.
This way, the spammers gained control over 4,000 domains and then sent hundreds of emails to organisations that used such domains.
"After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process. We’ve identified a fix and are taking corrective action immediately. While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed," said GoDaddy when contacted by KrebsOnSecurity.
DNS providers can prevent such spam campaigns
According to Guilmette, the hijacking of domains in this manner can be curbed if DNS providers can add an extra layer of validation to DNS change requests, verifying if DNS servers have already been assigned to a domain.
"As long as they’re different, that ruins this attack for the spammers. The spammers want the DNS servers to be the same ones that were already there when the domain was first set up, because without that they can’t pull of this hack. All GoDaddy has to do is see if this particularly odd set of circumstances apply in each request," he said.
Commenting on the spam campaign carried out by criminals by leveraging the authentication vulnerability in GoDaddy's DNS setup process, Broderick Perelli-Harris, senior director, professional services at Venafi said that this is yet another indication that hackers are abusing the machine identity system to carry out attacks. Machine identities are foundational to trust in the digital world and hackers are using that to appear trustworthy to unsuspecting users.
"GoDaddy is certainly at fault but the organisations victimised in this hijack should be asking themselves why they failed to protect the machine identities on their domain servers which allowed hackers to misuse them like this. By letting their subscription to GoDaddy expire without updating the domain name servers, they granted easy access to anyone who noticed it.
"Nor are they alone – Guilmette estimates over half a million websites are vulnerable. Poor machine identity protection is rife and until firms get control over all of the identities on their network, these kind of attacks will only become more frequent," he added.