Hackers gained control of multiple cryptocurrency services’ web domains after carrying out social engineering attacks on employees of domain registrar GoDaddy.
Last week, security expert Brian Krebs reported that fraudsters were able to divert email and web traffic for several cryptocurrency trading platforms after duping GoDaddy employees into transferring control of the domains.
Beginning around 13 November, attackers were granted control of crypto trading platform liquid.com’s domain and account, with cyptocurrency mining service NiceHash also compromised later in the month. Several other cryptocurrency platforms may also have been targeted.
Attackers were able to change domain settings and briefly divert email and web traffic. Liquid.com also said that hackers were able to change DNS records, access internal email accounts and gain access to document storage.
NiceHash said that it was able to detect the attack and mitigate it “almost immediately”, with the company freezing customer funds for around 24 hours following the attack. Liquid.com said that emails, passwords, or any personal data do not appear to have been accessed but recommends that users reset their password and activate two-factor authentication.
GoDaddy told KrebsOnSecurity that “a small number” of customer domain names had been changed after a “limited” number of GoDaddy employees fell for the scam.
“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts,” it continued.
Social engineering attacks occur when hackers manipulate victims into divulging credentials that allow them to access a network or account. This commonly involves the hacker gathering background information on the victim to make the attack more convincing or masquerading as trusted individuals or legitimate users.
This is not the first time GoDaddy employees have fallen victim to social engineering attacks, after a voice phishing scam in March meant that hackers gained control of at least six domains.
Jeremy Hendy, CEO at Skurio said:
“Social engineering continues to be a significant risk – with GoDaddy staff apparently falling for similar tactics that were used to compromise many high-profile Twitter accounts in July. With large organisations like these, hackers can try those techniques out on thousands of staff until they find a weak link.
“By gaining control of a domain at source, cybercriminals can by-pass these measures in order to, for example, send phishing or payment diversion emails.
“We have seen a reassuring improvement in cyber awareness and organisations using training, password management, access control and domain monitoring to prevent email takeover – but there is still more to be done.
“Organisations can receive an early warning of this kind of attack through using synthetic identities in their databases. If emails are sent to such identities, they can immediately be identified as malicious even if the attack has happened in their wider digital supply chain.”