Connect with us

Business

GoDaddy employees used in attacks on multiple cryptocurrency services – Krebs on Security

Avatar

Published

on


Fraudsters have redirected emails and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at Come on daddy, the world’s largest domain name registrar, KrebsOnSecurity has learned.

The incident is the latest foray into GoDaddy to trick employees into transferring ownership and / or control of targeted domains to scammers. In March, a voice phishing scam targeting GoDaddy support workers allowed attackers to gain control of at least half a dozen domain names, including the escrow.com transaction brokerage site.

And in May of this year, GoDaddy revealed that 28,000 of its customers’ web hosting accounts had been compromised following a security incident in October 2019 that was not discovered until April 2020.

This latest campaign appears to have started on or around November 13, with an attack on the cryptocurrency trading platform. liquid.com.

“A ‘GoDaddy’ domain hosting provider that manages one of our major domain names has falsely transferred account and domain control to a malicious actor,” Mike Kayamori, CEO of Liquid said in a blog post. “This gave the actor the ability to change DNS records and, in turn, take control of a number of internal email accounts. In due time, the malicious actor was able to partially compromise our infrastructure and gain access to document storage. “

In the early morning hours of November 18, Central European Time (CET), e-currency mining service NiceHash discovered that some of the settings in his domain registration records at GoDaddy had been changed without permission, briefly redirecting email and web traffic to the site. NiceHash froze all customer funds for approximately 24 hours until it could verify that its domain settings had been restored to their original settings.

“At the moment, it appears that no email, password or personal data has been accessed, but we suggest you reset your password and enable 2FA security,” the company wrote. . in a blog post.

NiceHash founder Matjaz Skorjanc said the unauthorized changes were made from an internet address at GoDaddy, and attackers attempted to use their access to his inbound NiceHash emails to perform resets password on various third-party services, including Soft and Github. But he said GoDaddy was impossible to reach back then because he was experiencing a widespread system outage in which the phone and email systems were not responding.

“We detected it almost immediately [and] started to tone down [the] attack, ”Skorjanc said in an email to this author. “Fortunately, we fought them well and they didn’t have access to any important service. Nothing was stolen.

Skorjanc said NiceHash’s email service was redirected to privateemail.com, an email platform operated by Namecheap Inc., another large domain name registrar. Using Safety from afar, a service that maps changes to domain name registrations over time, KrebsOnSecurity asked the service to show all domains registered with GoDaddy that had undergone changes to their email records in the past week. , which led them to privateemail.com. These results were then indexed on the 1 million most popular websites according to Alexa.com.

The result shows that several other cryptocurrency platforms may also have been targeted by the same group, including Bibox.com, Celsius.network, and Wirex.app. None of these companies responded to requests for comment.

In response to questions from KrebsOnSecurity, GoDaddy acknowledged that a “small number” of customer domain names were changed after a “limited” number of GoDaddy employees fell into a social engineering scam. GoDaddy said the outage between 7:00 p.m. and 11:00 p.m. PST on November 17 was not related to a security incident, but rather a technical issue that materialized during scheduled network maintenance.

“Separately and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and / or account information,” GoDaddy spokesperson Dan Race said. “Our security team has investigated and confirmed the activity of threat actors, including the social engineering of a limited number of GoDaddy employees.

“We immediately locked down the accounts involved in this incident, rolled back all changes to the accounts and helped affected customers regain access to their accounts,” the GoDaddy statement continued. “As threat actors become more sophisticated and aggressive in their attacks, we are constantly educating employees on new tactics that could be used against them and adopting new security measures to prevent future attacks.”

Race declined to comment on how its employees were tricked into making the unauthorized changes, saying the matter was still under investigation. But in the earlier-year attacks that affected escrow.com and several other GoDaddy customer domains, attackers targeted employees over the phone and were able to read internal notes that GoDaddy employees left on customer accounts.

Additionally, the attack on escrow.com redirected the site to an internet address in Malaysia that hosted less than a dozen other domains, including the phishing website. servicenow-godaddy.com. This suggests that the attackers behind the March incident – and possibly the latter – were successful in calling GoDaddy employees and convincing them to use their employee credentials on a page. fraudulent GoDaddy login.

In August 2020, KrebsOnSecurity warned of a marked increase in the number of large companies targeted in sophisticated voice phishing or “vishing” scams. Experts say the success of these scams has been greatly facilitated by many employees working remotely thanks to the ongoing coronavirus pandemic.

A typical vishing scam begins with a series of phone calls to employees working remotely in a targeted organization. Phishers often explain that they are calling from an employer’s IT department to help resolve issues with the company’s email or virtual private network (VPN) technology.

The goal is to convince the target to divulge their credentials over the phone or enter them manually on a website set up by the attackers that mimics corporate email or the organization’s VPN portal.

On July 15, a number of high profile Twitter accounts were used to tweet about a Bitcoin scam that grossed over $ 100,000 in a matter of hours. According to Twitter, this attack was successful because the perpetrators were able to trick several Twitter employees over the phone into giving access to internal Twitter tools.

An alert issued jointly by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) claims that the perpetrators of these vishing attacks are compiling employee records at their targeted companies using mass scraping of public profiles on social media platforms, recruiting and marketing tools, auditing services publicly available track record and open source research.

The FBI / CISA advisory includes a number of suggestions companies can implement to help mitigate the threat of vishing attacks, including:

Restrict VPN connections to managed devices only, using mechanisms such as hardware checks or installed certificates, so that user input alone is not enough to access the corporate VPN.

Limit VPN access hours, if applicable, to limit access outside of authorized hours.

Use domain monitoring to track the creation or changes of corporate branding domains.

Actively scan and monitor web applications for unauthorized access, changes, and abnormal activity.

Employ the principle of least privilege and implement software restriction policies or other controls; monitor the access and use of authorized users.

Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before you can discuss sensitive information.

Improve 2FA and OTP messaging to reduce confusion over employee authentication attempts.

Check that the web links are not misspelled or contain the wrong domain.

Bookmark the correct corporate VPN URL and don’t visit other URLs just based on an incoming phone call.

Beware of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain that someone is authorized to have that information. If possible, try to verify the identity of callers directly with the company.

If you receive a vishing call, document the caller’s phone number as well as the domain the actor attempted to send you to and pass that information on to law enforcement.

Limit the amount of personal information you post on social networking sites. The Internet is a public resource; only post information that you are comfortable with anyone who sees

Evaluate your settings: Sites may change their options periodically, so regularly check your security and privacy settings to make sure your choices are still appropriate.


Tags: Bibox, Celcius.network, Dan Race, Farsight Security, GitHub, GoDaddy, Namecheap, phishing, privateemail.com, Slack, vishing, Wirex.app

This entry was posted on Saturday November 21st, 2020 at 1:15 PM and is filed under A Little Sunshine, Web Fraud 2.0. You can follow comments on this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Ping is currently not allowed.

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos



picture credit

ExBUlletin

to request, modification Contact us at Here or [email protected]