UPDATED 19:21 EST / NOVEMBER 22 2020

SECURITY

GoDaddy employees tricked into handing over control of cryptocurrency domains

The hijacking of domain names belonging to Singapore-based cryptocurrency exchange Liquid and several other crypto sites has been attributed to hackers tricking GoDaddy Inc. employees into handing over ownership.

The hack of Liquid, first detected Nov. 13, involved the incorrect transfer of control of an account and domain to a malicious actor. With this access, those behind the attack changed domain name server records and took control of some of the company’s email accounts.

That account and domain were hosted by GoDaddy, according to a Nov. 20 report by Krebs on Security and Liquid wasn’t the only cryptocurrency company affected. Also successfully targeted were cryptocurrency mining service NichHash, which has confirmed that their account at GoDaddy had been taken over. Bibox.com, Celsius Network and Wirex.app also may have been targeted.

In a blog post, Nicehash said that in the early hours of Nov. 18 that its domain name was not reachable. “The domain registrar GoDaddy had technical issues and as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed,” the company wrote.

NiceHash founder Matjaz Skorjanc told Krebs on Security that the attackers tried to use their access to its incoming emails to perform password resets on various third-party services, including Slack and GitHub. “We detected this almost immediately [and] started to mitigate [the] attack,” Skorjanc said. “Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen.”

The other companies affected have not publicly commented. Bibox.com was down as of 7 p.m. EST today, while Wirex.app was throwing up a security alert in Google Chrome that included “the website sent back unusual and incorrect credentials.” Celsius Network, a cryptocurrency lending and investment company, appears to be online and functional and the company has made no comment on the report. SiliconANGLE has reached out to the company for comment.

GoDaddy has confirmed the story, saying that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. They have since undertaken an audit, identified potentially affected accounts and assisted customers in regaining access.

This isn’t the first time GoDaddy has been in the news for security lapses. In May it was reported that 28,000 web hosting accounts had been exposed in a data breach, while in August 2018 data belonging to GoDaddy were was found exposed on a misconfigured Amazon Web Services Inc. S3 bucket.

Photo: GoDaddy/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU