Cybercriminals were able to change the DNS settings of some cryptocurrency websites after tricking GoDaddy employees into providing them with access to customer accounts. On November 18, both services announced that threat actors were able to breach their internal systems after GoDaddy incorrectly handed over control of their accounts.
Using social engineering tricks, the hackers were able to change the DNS settings of their victims' domain names, redirecting connections and mail to their own servers. GoDaddy, the world's biggest domain-name registrar, confirmed "a small number of customer domains and/or account information" were altered after "a limited number of GoDaddy employees" were duped.
A recent social-engineering "Vishing" attack on domain registrar GoDaddy temporarily handed over control of cryptocurrency service sites NiceHash and Liquid to fraudsters, exposing personal information of users. "A routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information," the statement read. "Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees."
The attacks were facilitated by scams targeting employees at GoDaddy, the world's largest domain name registrar, KrebsOnSecurity has learned. The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters.
Web hosting provider and domain registrar GoDaddy was hit by a data breach that compromised the account credentials of around 28,000 customers. "On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers' credentials or modified any customer hosting accounts. The individual did not have access to customers' main GoDaddy accounts."
Hosting biz GoDaddy has admitted a hacker tampered with an SSH file on its servers, leading to the theft of 28,000 users' SSH credentials. The intrusion, which took place last month, involved one or more malicious persons "Alter" an SSH file on GoDaddy's infrastructure, the US giant told The Register.
UPDATE. GoDaddy, the world's largest domain name registrar, is warning customers that attackers may have obtained their web hosting account credentials. The company said that the breach only affected hosting accounts, not general GoDaddy.com customer accounts, and that no customer data in the main accounts was accessed.
We need to inform you of a security incident impacting your GoDaddy web hosting account credentials. The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account.
GoDaddy has been notifying customers of a data breach that may have resulted in their web hosting account credentials getting compromised. "We need to inform you of a security incident impacting your GoDaddy web hosting account credentials," the accompanying customer notification letter reads.
The incident gave the phisher the ability to view and modify key customer records, access that was used to change domain settings for a half-dozen GoDaddy customers, including transaction brokering site escrow.com. In a statement shared with KrebsOnSecurity, GoDaddy acknowledged that on March 30 the company was alerted to a security incident involving a customer's domain name.