Internal threats: GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

GoDaddy Employees Used in Attacks

Cybercriminals redirected email and web traffic destined for various cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees of GoDaddy, the world’s largest domain name registrar.

The incident is the latest foray into GoDaddy that relied on tricking employees into transferring ownership and/or control of specific domains to scammers. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to take over at least half a dozen domain names, including the transaction brokerage site escrow.com.  And in May of this year, GoDaddy revealed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in October 2019 that wasn’t discovered until April 2020.

This latest attack campaign appears to have started around November 13, with an attack on the cryptocurrency trading platform liquid.com.

GoDaddy spokesman Dan Race declined to specify how his employees were tricked into making unauthorized changes, saying the matter was still under investigation. But in the attacks earlier this year that affected escrow.com and several other GoDaddy customer domains, the attackers targeted employees over the phone and were able to read internal notes that GoDaddy employees had left on customer accounts.

In August 2020, different experts warned of a sharp increase in large corporations being targeted by sophisticated phishing or voice vishing scams. Experts say that the success of these scams has been greatly aided by many employees working remotely thanks to the ongoing coronavirus pandemic.

A typical vishing scam begins with a series of phone calls to employees working remotely at a specific organization. Phishers often explain that they are calling from the employer’s IT department to help troubleshoot problems with company email or virtual private network (VPN) technology.

The goal is to convince the target to disclose their credentials over the phone or manually enter them on a website created by attackers that mimics corporate email or the organization’s VPN portal.

On July 15, several high-profile Twitter accounts were used to tweet about a bitcoin scam that made more than $ 100,000 in a few hours. According to Twitter, that attack was successful because the perpetrators were able to socially engineer several Twitter employees over the phone to give them access to internal Twitter tools.

An alert issued jointly by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) says that the perpetrators of these vishing attacks compile files on the employees of their target companies using mass scraping of public profiles on social media platforms, publicly available recruiting and marketing tools, background check services, and open source research.