Threat Watch

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Beginning on or around threat actors began an attack on cryptocurrency trading platform, liquid.com, by targeting employees at domain hosting provider, GoDaddy. GoDaddy employees were tricked into transferring ownership and/or control of targeted domains to the threat actors. In March a similar campaign took place with GoDaddy, in which threat actors used a voice phishing scam to take over several domain names including escrow.com. It has not been confirmed how GoDaddy employees were deceived in the most recent attack. The March attack, the assailants targeted employees over the phone, and were able to read internal notes that GoDaddy employees had left on customer accounts. The liquid.com CEO stated the attackers were able to “change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”  Experts believe believe that these attacks have recently become more effective as people have been forced to work from home due to the COVID-19 pandemic.

ANALYST NOTES

Voice phishing scams, or vishing, begins with a series of phone calls to employees working remotely at a targeted organization. The phishers often will impersonate an employer’s IT department and attempt to obtain credentials or input them manually at a website set up by the attackers that mimic the organization’s corporate email or VPN portal.

The following are a few preventative measures that can help prevent a vishing scam. Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN. Restrict VPN access hours, where applicable, to mitigate access outside of allowed times. Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains. Educate employees so they can identify suspicious unsolicited phone calls and email messages. Ensure employees know not to give personal information or information about your organization over the phone. If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.

Sources: https://krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/?web_view=true