This week, GoDaddy.com suffered a phishing attack that enabled the phishers to view and modify customer details and change domain settings for half-dozen GoDaddy clients including transaction brokering site escrow.com.
Cybersecurity researcher at DomainInvesting.com, Elliot Silver, told Krebs on Security that for almost two hours, Escrow.com’s homepage was replaced with the following message:
He then contacted Matt Barrie, the CEO of freelancer.com, which owns escrow.com, following which Escrow.com published a statement on their website. As per the statement, a hacker gained access to Escrow.com at 5:07pm PST on 30 March through a breach in their domain registrar’s (godaddy.com) system. They contacted GoDaddy and regained control of their DNS by approximately 7:00pm PST on the same day.
"During the incident, our security team managed to talk to the hacker on the phone. For over an hour the hacker attempted to convince what he thought were domain registry operations to regain access to the account.
"During this phone call, our security team learned that the route of entry was that the hacker had unlawfully accessed our registrar’s internal support systems and was using them to make changes on Escrow.com’s account. Over the coming days, we will be discussing the experience publicly to educate the wider community on these hacking and social engineering techniques.
"We wish to thank the domain registrar for their speed and coordination with us in resolving this matter," the firm said. Escrow.com added that despite the intrusion, no Escrow.com systems were compromised, no customer data was accessed, no accounts holding customer domains were compromised, and no customer funds were accessed or at risk.
Chris Ueland, CEO of SecurityTrails, told KrebsOnSecurity that the DNS records for Escrow.com pointed to an IP address (22.214.171.124) in Malaysia. After performing a reverse DNS search of the IP address, Krebs found that the IP address was linked to less than a dozen domains and one of these invoked the name of Escrow.com’s registrar — servicenow-godaddy.com.
Hackers phished Godaddy employee to access domain settings of half a dozen customers
KrebsOnSecurity, reached out to GoDaddy who confirmed that a security incident took place on 30 March involving a customer’s domain name. Their investigation revealed that their employee was victimised by a phishing attack and five other customer accounts were “potentially” affected.
“Our team investigated and found an internal employee account triggered the change. We conducted a thorough audit on that employee account and confirmed there were five other customer accounts potentially impacted.
“We immediately locked down the impacted accounts involved in this incident to prevent further changes. Any actions done by the threat actor have been reverted and the impacted customers have been notified. The employee involved in this incident fell victim to a spear-phishing or social engineering attack. We have taken steps across our technology, processes and employee education, to help prevent these types of attacks in the future.” GoDaddy said.
Commenting on the phishing attack, Javvad Malik, Security Awareness Advocate at KnowBe4 told TEISS that "the attackers behind this incident were quite blasé about their intentions and methods and wanted to showcase what they had achieved. Had they been more subtle, they could have caused far more damage.
“But the real story here is that there wasn't a technical issue that led to the breach, but rather a spear-phishing attack. It is why social engineering as a whole remains the most popular attack method because of the high return on investment and success rate.
“It is important that organisations of all sizes and across all verticals, provide effective and timely security awareness and training to employees. This includes regular use of simulated phishing to get employees used to spotting them and being able to report them to IT for further investigation and response." He added.