Posted on April 5, 2020 at 6:06 PM
Recent reports revealed that a GoDaddy employee was the subject of a successful spearphishing attack that resulted in the compromise of its company account. The compromise gave the attacker access to some customer records. As a result, there was an extensive alteration of domain names settings within the network.
The alteration of setting includes popular domain name servers such as Escrow.com, which is an online brokerage service of different types of items.
GoDaddy further revealed that that attack may have affected 5 other user customer accounts. But it didn’t mention the numbers of domains in the affected accounts.
The Escrow.com account was attacked on March 31 when the actors removed and replaced information on the site’s homepage with another message. The actors took down the legitimate server’s DNS and replaced it with their malicious DNS.
Researchers revealed that the actors used an IP address from Malaysia, which could indicate the location of the attackers.
According to DomainInvesting’s Elliot Silver, the Escrow.com team he contacted immediately said the company is investigating the attack, but the actors did not compromise any data.
Later the same day, he received a notification that the problem has been fixed and sorted out within a few hours.
The second day, the site’s general manager informed him about the official statement the company’s chief executive released. From the statement, he revealed that the only affected domains are those owned and managed by the company.
The statement stated that all customer data are intact and not compromised. However, the chief executive further revealed what the company’s security team found out from its investigation.
He explained that the security team contacted the hacker through phone during the incident.
The conversation lasted for more than one hour as the hacker was trying to regain access to the account. During the phone call, the security team leaned that the attacker had unlawful access to the registrar’s internal support system.
This was how they managed to have an entry point and infiltrated the systems. The attackers were making use of their access to the support system to alter the Escrow.com account, according to the findings from the security team.
More details about the attack discovered
A cybersecurity firm, KrebsOnSecurity, discovered that there were other details about the attack on Escrow.com from another security firm known as SecurityTrials. According to its chief executive, “the attacker also obtained free encryption certificates for Escrow.com from Let’s Encrypt.”
Also, when there was a reverse DNS check on the IP address of the fake server, it revealed that the IP address is representing not less than 12 domains. Among the dozens of domains, one of them was a 12-day old domain which included the name of Escrow.com registrar.
When the security firm visited the address, it contained the same message found on the compromised domain of Escrow.com, although the address is not accessible now.
Measures to prevent the attack
The security researchers also noted that the scheme behind this attack is very sophisticated and could be beyond the scope or control of any website owner. However, they stated that there are some security measures to take which can go a long way to prevent such an attack.
They advised that website owners should utilize the lock feature, which can prevent the alteration of the DNS records.
Another way to stop these attacks is the use of two-factor authorization. With a second authorization, it will be more difficult for someone to access your site, as the hacker needs to go through a second security protocol.
The effort on security is not only left on the hands of site owners. The research team said the bulk of the security work should be carried by GoDaddy. The company should intensify efforts to train its employees on veracious security measures. Employees should be taught how to dodge such sophisticated phishing campaigns.