Several crypto exchanges with a GoDaddy domain reported unauthorised changes
The world’s largest domain name registrar, GoDaddy, is scrambling to protect its employees after the company found that they were being targeted and used as part of attacks across several crypto services.
Reports indicate that the perpetrators, who have not yet been identified, redirected email and web traffic that was originally destined for several cryptocurrency trading platforms in the past week. The latest incident related to this included an attack on Liquid.com, a cryptocurrency trading platform, on 13 November.
The Chief Executive Officer, Mike Kayamori, claimed in a security incident report that “a domain hosting provider “GoDaddy” that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor”.
After this incident was noted, a crypto mining firm named NiceHash also found that a few of its settings for its domain registration records at GoDaddy had been changed without authorisation. This meant that for a brief period of time, it was redirecting email and web traffic for the site.
“In the early morning (UTC) hours of 18 November 2020, the NiceHash domain was not reachable. The domain registrar GoDaddy had technical issues and as a result of unauthorised access to the domain settings, the DNS records for the NiceHash.com domain were changed”, the company explained to its users in a blog post.
While nothing was stolen, the unauthorised charges had been made from an Internet address that was registered at GoDaddy. The attackers were also allegedly trying to finish password resets on several third-party services, including Slack and Github.
This is not the first time that GoDaddy has struggled with security breaches. Earlier this year, the company struggled with a phishing scam that allowed the attackers to seize control of over half a dozen domain names in March, and 28,000 web hosting accounts were compromised in May.
Research conducted by Farsight Security indicated that several other crypto platforms such as Bibox, Celsius Network and Wirex may have also been targeted by the same group
A spokesperson from GoDaddy regarding the issue stated that the company’s security team “investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.
However, the spokesperson did not specify the means to which the employees were lured into making the unauthorised changes, explaining that the matter is still under investigation.