Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms like liquid.com, NiceHash by using GoDaddy employees. Their domain hosting provider, GoDaddy claims that a small number of customer domain names had been modified after a limited number of GoDaddy employees fell for a social engineering scam.
Vishing scams on cryptocurrency trading platforms
In May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in October 2019. The latest campaign is estimated to have begun on or around November 13 with an attack on cryptocurrency trading platform liquid.com. GoDaddy is the domain hosting provider of liquid.com.
Liquid CEO Mike Kayamori published this attack details in a blog post, saying,
“On the 13th of November 2020, a domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor. This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
DNS records were changed
In other development, in the early morning (UTC) hours of November 18, 2020, cryptocurrency mining service NiceHash domain was not reachable. As a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed. To secure all user’s funds, NiceHash froze all customer funds for roughly 24 hours until it was able to verify that its domain settings had been changed back to their original settings. NiceHash founder Matjaz Skorjanc complained about being unable to reach GoDaddy by email or phone. Skorjanc talked about the attack, saying,
“The unauthorized changes were made from an Internet address at GoDaddy, and that the attackers tried to use their access to its incoming NiceHash emails to perform password resets on various third-party services, including Slack and Github. NiceHash’s email service was redirected to privateemail.com, an email platform run by Namecheap, another large domain name registrar.”
GoDaddy: A limited number of employees has been affected
According to GoDaddy, only “a small number” of customer domain names had been modified after a limited number of GoDaddy employees fell for a social engineering scam. The outage between 7:00 p.m. and 11:00 p.m. PST on Nov. 17 was not related to a security incident, but rather a technical issue that materialized during planned network maintenance.
On July 15, a number of high-profile Twitter accounts tweeted about a bitcoin scam that earned more than $100,000 in a few hours. Twitter said that attack succeeded as the perpetrators were able to apply social engineering several Twitter employees over the phone into giving away access to internal Twitter tools. Several other cryptocurrency services subsequently targeted by the fraudsters, according to the KrebsOnSecurity report.
An advisory by FBI and CISA
Large corporations have been targeted in sophisticated voice phishing or vishing scams. As many employees are working remotely due to the ongoing Coronavirus pandemic, these scams have been successful.
FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on these vishing attacks and published an advisory includes a number of suggestions that companies can implement to help mitigate the threat from vishing attacks, including:
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
- Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
- Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
- Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
- Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.
- Verify web links do not have misspellings or contain the wrong domain.
- Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
- Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
- If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
- Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing
- Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.