The cryptocurrency community has a lot of experience dealing with cyber-attacks within its ecosystem. In fact, it is also familiar with attacks that have, for often unwarranted reasons, brought it to the attention of the mainstream media. It would now seem that the crypto-industry will be in the news again after GoDaddy, the world’s largest domain name registrar, saw its employees being targeted and used in attacks on multiple crypto-services.
According to reports, the unknown perpetrators reportedly redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The latest such incident included an attack on cryptocurrency trading platform Liquid.com on the 13th of November, with the platform’s CEO Mike Kayamori using a security incident report to claim,
“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor.”
Following this, on 18 November, crypto-mining firm NiceHash reportedly discovered that some of its settings for its domain registration records at GoDaddy were changed without authorization, briefly redirecting email and web traffic for the site.
Although nothing was stolen, the unauthorized changes were made from an Internet address at GoDaddy, with the attackers allegedly attempting to perform password resets on various third-party services, including Slack and Github.
The incident is the latest incursion targeting GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters.
GoDaddy was also subject to similar security breaches earlier this year, including one wherein a phishing scam enabled attackers to gain control over half a dozen domain names in March and 28,000 web hosting accounts compromised in May.
In fact, research done by Farsight Security revealed that several other cryptocurrency platforms may also have been targeted by the same group, including Bibox.com, Celsius.network, and Wirex.app.
GoDaddy reportedly acknowledged the security breach, stating that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam.
Commenting on this issue, a spokesperson said,
“Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.”
It must be noted, however, that he declined to specify exactly how the employees were tricked into making the unauthorized changes, adding that the matter is still under investigation.