A customer service employee of one of the largest domain name registrars, GoDaddy.com, has been targeted by a phishing attack this week. This spear-phishing attack allows the hacker to view and modify key customer records, access that was used to change domain settings for a half-dozen GoDaddy customers. There are many sites that had been affected by this phishing, including escrow.com.
A spear-phishing attack
Escrow.com that facilitates secure transactions when you wish to buy or sell domains with GoDaddy, adds another level of security to the transaction. The company published an announcement about the attack. They said that on 31 March 2020 at 5:07 pm, PST hackers got access to our domain registry accounts for the Escrow.com domain through a breach of our domain registrar’s systems.
The hackers changed the DNS records for Escrow.com to point to a third-party web server. They published a message as below:
During the incident, Escrow.com’s security team contacted the hacker on the phone. The hacker thought that he regained access to the account through domain registry operations. Escrow.com’s security team reached the route of entry that the hacker had unlawfully accessed its registrar’s internal support systems and was using them to make changes on Escrow.com’s account.
The company underlined that there are no comprised Escrow.com systems, and the registry account solely contained Escrow.com owned domains. They added that no customer funds were accessed or at risk.
GoDaddy shared an announcement about the attack:
“Our team investigated and found an internal employee account triggered the change,” the statement reads. We conducted a thorough audit on that employee account and confirmed there were five other customer accounts potentially impacted.”
They immediately locked down the impacted accounts involved in this incident to prevent further changes, due to the announcement. The company stated that they will also give much more importance to employee education for preventing these types of attacks in the future.