GoDaddy, the world's largest domain company, suffered a voice phishing and social engineering attack that tricked its employees into transferring control of at least 6 domains from cryptocurrency companies.
Según un report recently published by security company Krebs on Security, GoDaddy, the largest web domain provider company in the world, was the victim of a social engineering attack, similar to the one Twitter experienced a few months ago.
During the attack, GoDaddy employees were tricked into transferring the domain of several service companies with cryptocurrencies, , between them Liquid.com, a cryptocurrency trading platform and NiceHash, a company dedicated to cryptocurrency mining. At the time of Krebs on Security's publication, both companies had confirmed the attack, although it is estimated that at least 6 companies were affected by this scam.
At the moment, none of the affected companies, and which are presumed affected, have reported the loss of funds, more The attack did allow scammers to access internal email accounts, private documents, and more. According to the security company, this is the second time that GoDaddy employees have been victims of a social engineering and voice phishing attack, since in March, they transferred control of at least half a dozen domain names, by being deceived by the attackers. By that time, the trading brokerage site Escrow.com was affected by the attack.
It may interest you: Massive hack on Twitter: More than 20 accounts of important cryptocurrency companies and entrepreneurs were hacked
GoDaddy administrator access
Social engineering is a stealthy and very careful attack that allows legitimate employees of a company to be manipulated into giving up confidential information, trusting that the person they interact with is also legitimate. Using this technique, attackers seek to obtain confidential information that allows them to access certain systems to cause damage, as in the case of Twitter a few months ago, where attackers accessed more than 120 accounts to promote a cryptocurrency scam.
Now, in the attack on GoDaddy, victims confirmed unauthorized changes and access to their platforms, which records show were made from GoDaddy Internet addresses. The domain company confirmed the situation, stating that its security team became aware of the attack and began working to restore services to its customers immediately.
“Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees… We immediately blocked the accounts involved in this incident, reverted any changes that took place to the accounts, and helped affected customers to regain access to their accounts.”
GoDaddy spokesperson, Dan Race, stated for Krebs on Security, that it was a small number of customer domains that were affected, although he did not confirm the number of these. Likewise, Race assured that the interruption of services that occurred at GoDaddy on November 17 is not related to the social engineering attack on its employees.
Effects of the attack
Although both companies reported the consequences of the incident, and assured that there does not seem to be an immediate threat to their clients and users, they recommend a series of additional security measures to protect themselves against possible phishing attacks, which can reach their email addresses directly, since that attackers may be handling personal information.
Liquid.com, access to confidential data
At Liquid.com, its CEO Mike Kayamori, published a report to notify its clients and users about the effects of the social engineering attack on GoDaddy, where it detailed that the incident caused a security breach of Liquid.com services. This company handles more than 275 million dollars in daily trading volume.
According to Kayamori, the attacker managed to gain access as an administrator of the platform, changing DNS records and, in turn, taking control of several internal email accounts. Likewise, the attacker was able to partially compromise Liquid.com's infrastructure, and gained access to the storage of confidential documents. So he makes a call to his clients to remain alert to suspicious information that may reach you via email, or other means, as attackers possibly compromised personal data such as emails, names, and addresses. Likewise, customers' encrypted passwords also appear to have been affected, so it is recommended that all Liquid customers change their password and 2FA credentials as soon as possible.
However, the platform team managed to identify and contain the attack, regaining control over the affected domain and implementing additional security measures to protect customer accounts and assets.
Kayamori ensures that the funds of clients and users se accounted for and remain safe and secure, and that the Wallets and cold storage cryptocurrency wallets, and those based on MPC, are also protected and were not compromised during the attack.
NiceHash, without access to your domain
The NiceHash team published a report where he pointed out that during the attack, and a technical failure that GoDaddy suffered, which although not related to the attack, did prevent him from accessing his NiceHash domain on the platform. Additionally, he discovered that some of the settings for his domain registrations at GoDaddy were changed without authorization.
Upon realizing the situation, NiceHash decided to freeze all user funds and their wallets, as a security measure to protect its users. At the time of the statement, NiceHash reported that it would keep all activity in the wallets and withdrawals frozen for a period of 24 hours, until the situation is resolved.
A few hours later, NiceHash assured that the systems were fully operational and online, but that withdrawals would remain suspended for a while until a full internal audit was conducted and all funds were verified to be intact. Unlike Liquid.com, NiceHash claims that no emails, passwords or personal data of users were accessed, but still suggests that users reset their login passwords and activate 2FA security.
Likewise, the CEO of NiceHash, Matjaz Skorjanc, stated in an email sent to Krebs on Security that the attackers attempted to use their access to their NiceHash emails to reset passwords on several third-party services, including Slack y Github, but that the technical failure that GoDaddy presented at the time of the attack prevented them from doing so due to lack of communication with the service provider.
A worrying increase in these types of attacks
The security company Krebs on Security published a report in August indicating that the current situation due to the pandemic, which forces many company employees to work remotely from their homes, is allowing this type of attacks to be carried out in greater numbers and with greater success.
Voice phishing attacks begin when the attacker communicates by telephone with a company employee, impersonating another employee or posing as a new employee, to convince his victim that the call is made from the IT department. company IT, and requires your help to troubleshoot issues related to company email or VPNs. When the attacker convinces the employee that he is speaking with a “legitimate” person, he requests that he hand over his credentials, either over the phone or by entering them manually on a fake website created by the attacker, which perfectly imitates email or the company's VPN portal. Thus, if employees must enter a one-time code, the fake site will also request this code, so as not to raise suspicions.
Hackers seek more direct and aggressive monetization
ZeroFOX's Director of Threat Intelligence, Zack Allen, assures that voice phishing attacks are evolving towards a more direct and aggressive form of monetization, leaving aside the sale of accounts on the darknet. According to the expert, the attackers could be gaining allies within the companies, or constantly practicing their scams to execute more effective attacks, capable of generating thousands of dollars in a few hours.
On the other hand, the director of research at the New York cyber investigation firm Unit 221B, Allison Nixon, assured that attackers are seeking to gain as much access as possible to a company's tools to take control over digital assets that can quickly be converted into cash. Nixon assures that voice phishing attacks are now primarily targeting social networks, such as Twitter, and email accounts and domains of companies with associated financial instruments, such as bank accounts and cryptocurrencies.
To mitigate the alarming frequency with which these types of attacks are occurring, security experts invite companies and companies to raise awareness and train their employees about the importance of the security of their operations, and to carry out tests of simulated attacks to verify periodically improve the response and attack detection capacity of your staff. Employees who do not comply with the tests must undergo additional training to avoid the risk of becoming victims of social engineering.
Continue reading: Ledger team warns of possible phishing attack in progress
