UPDATED 19:21 EDT / NOVEMBER 22 2020

SECURITY

GoDaddy employees tricked into handing over control of cryptocurrency domains

The hijacking of domain names belonging to Singapore-based cryptocurrency exchange Liquid and several other crypto sites has been attributed to hackers tricking GoDaddy Inc. employees into handing over ownership.

The hack of Liquid, first detected Nov. 13, involved the incorrect transfer of control of an account and domain to a malicious actor. With this access, those behind the attack changed domain name server records and took control of some of the company’s email accounts.

That account and domain were hosted by GoDaddy, according to a Nov. 20 report by Krebs on Security and Liquid wasn’t the only cryptocurrency company affected. Also successfully targeted were cryptocurrency mining service NichHash, which has confirmed that their account at GoDaddy had been taken over. Bibox.com, Celsius Network and Wirex.app also may have been targeted.

In a blog post, Nicehash said that in the early hours of Nov. 18 that its domain name was not reachable. “The domain registrar GoDaddy had technical issues and as a result of unauthorized access to the domain settings, the DNS records for the NiceHash.com domain were changed,” the company wrote.

NiceHash founder Matjaz Skorjanc told Krebs on Security that the attackers tried to use their access to its incoming emails to perform password resets on various third-party services, including Slack and GitHub. “We detected this almost immediately [and] started to mitigate [the] attack,” Skorjanc said. “Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen.”

The other companies affected have not publicly commented. Bibox.com was down as of 7 p.m. EST today, while Wirex.app was throwing up a security alert in Google Chrome that included “the website sent back unusual and incorrect credentials.” Celsius Network, a cryptocurrency lending and investment company, appears to be online and functional and the company has made no comment on the report. SiliconANGLE has reached out to the company for comment.

GoDaddy has confirmed the story, saying that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. They have since undertaken an audit, identified potentially affected accounts and assisted customers in regaining access.

This isn’t the first time GoDaddy has been in the news for security lapses. In May it was reported that 28,000 web hosting accounts had been exposed in a data breach, while in August 2018 data belonging to GoDaddy were was found exposed on a misconfigured Amazon Web Services Inc. S3 bucket.

Photo: GoDaddy/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.