GoDaddy Employee “Fell Victim to a Spear-fishing or Social Engineering Attack”

9

Earlier today, I published an article about a reported “security incident” involving Escrow.com. In the statement outlining what happened, Escrow.com wrote, “hackers got access to our domain registry account for the Escrow.com domain through a breach of our domain registrar’s systems.” I emphasized the last part of the statement because it seems to lay the blame on the company’s domain registrar rather than the fault of an Escrow.com employee or agent.

A Whois search reveals that the Escrow.com domain name is registered at GoDaddy. I reached out to GoDaddy representatives to see if they could shed some light on this incident. A company representative sent me an email this evening, and it would appear that the issue impacted a handful of customers (who have all been notified). Here’s what I was told by GoDaddy:

On March 30, we were alerted to a security incident involving the redirection of a customer’s domain name. Our team investigated and found an internal employee account triggered the change. We conducted a thorough audit on that employee account and confirmed there were five other customer accounts potentially impacted.

We immediately locked down the impacted accounts involved in this incident to prevent further changes.   Any actions done by the threat actor have been reverted and the impacted customers have been notified.

The employee involved in this incident fell victim to a spear-fishing or social engineering attack. We have taken steps across our technology, processes and employee education, to help prevent these types of attacks in the future.

We apologize for any inconvenience this may have caused.

One thing that remains concerning for me is that it would appear GoDaddy learned of this incident when they were notified by Escrow.com (“we were alerted“). Had the person who had access to a GoDaddy employee account not have done something as obvious as taking down the Escrow.com homepage, I wonder if any further damage could have been done and gone undetected. For instance, it would be concerning if domain name account changes, nameserver changes, or even transfer approvals could have been done.

Like many companies, most, if not all GoDaddy employees are working from home during the coronavirus outbreak. I wonder if this may have played a role in gaining access to the employee account.

Although GoDaddy has reported that this is under control, I would advise people to reach out to GoDaddy right away if they notice something strange with their accounts. I don’t know how much of a role it would play, but I recommend enabling two factor authentication (perhaps via Yubikey) and DTVS security on GoDaddy accounts.

9 COMMENTS

  1. Godaddy is not to be trusted with domains!!!
    Did the guy really say “spear-fishing”????!!!!
    How can you trust a registrar with your valuable business domain when their representative doesn’t even know the difference between spear-fishing and spear-phishing???!!!

  2. A Van Gogh got stolen, so Museums can’t be trust
    Banks get robbed around the World, so banks can’t be trusted.
    Go Daddy out of 50 million domains under management has an issue and can’t be trusted
    If a house is robbed that uses ADT alarms, than the company can’t be trusted.
    I suggest take your belongings, money and domains and bury them in your backyard, make sure
    nobody sees you.
    GD Market cap almost 10Billion somebody trusts them, hahahaha

    Easy……you get an idea of people by their comments

  3. It could’ve happened to just any registrar, not only GD. Anything coded can be decoded. No one is insured.

    Measures should be implemented covering all aspects:
    technical; organizational; legal.

    In most cases of security breaches, the organizational factor has proved time and again to be the weakest link – like employee clicking link-bait to phishing site out of stupid curiosity.

Leave a Reply