One of the largest domain registration sites in the world, GoDaddy fell into a social engineering scam that hurt customers and users. According to an investigation by the website KrebsOnSecurity, aimed at analyzing such cases, a criminal managed to redirect the DNS of a domain registered on the platform without even invading its systems.
The final victim was Escrow.com, responsible for securely securing online financial transactions. On March 31, the page was replaced by a text that made fun of users. “Thank you for these years, but we decided to take a hit on all of you. Fuck yourself. Send e-mail to support to get your money back ”, presented the page with a reference to Malaysia. The aim was to incite a large number of requests for reimbursement.
The page stayed with that text for about two hours and then returned to normal. In a note, Escrow CEO Matt Barrie said the error did not compromise user information and that the issue was related to GoDaddy.
What the criminal did, in fact, was to change the site’s DNS data, directing users to a different page than the one previously registered with GoDaddy. For this, however, the measure is not simple. The domain owner must place the order over the phone and authorize the exchange verbally. Sought, GoDaddy recognized the problem.
According to an official note, a company employee allegedly received a call and, convinced that he was an authorized Escrow employee, released the DNS change. In addition, it is possible that five other accounts were also affected by the same action.
“We immediately blocked the accounts impacted by this incident to prevent future changes. Any action requested by the criminal has been reversed and impacted customers have been notified. The employee involved in this incident was the victim of a spear-phishing or social engineering attack. We are taking steps in technology, processes and training of employees to help prevent this type of attack in the future, ”said the company.
Spear-phishing attacks occur when the criminal takes a bait, such as a malicious email or link, but is directed to an action. In this case, it was the direct link with the objective of changing the domain of escrow.com.
Read more about it here: (https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/)