Earlier today, I published an article about a reported “security incident” involving Escrow.com. In the statement outlining what happened, Escrow.com wrote, “hackers got access to our domain registry account for the Escrow.com domain through a breach of our domain registrar’s systems.” I emphasized the last part of the statement because it seems to lay the blame on the company’s domain registrar rather than the fault of an Escrow.com employee or agent.
A Whois search reveals that the Escrow.com domain name is registered at GoDaddy. I reached out to GoDaddy representatives to see if they could shed some light on this incident. A company representative sent me an email this evening, and it would appear that the issue impacted a handful of customers (who have all been notified). Here’s what I was told by GoDaddy:
On March 30, we were alerted to a security incident involving the redirection of a customer’s domain name. Our team investigated and found an internal employee account triggered the change. We conducted a thorough audit on that employee account and confirmed there were five other customer accounts potentially impacted.
We immediately locked down the impacted accounts involved in this incident to prevent further changes. Any actions done by the threat actor have been reverted and the impacted customers have been notified.
The employee involved in this incident fell victim to a spear-fishing or social engineering attack. We have taken steps across our technology, processes and employee education, to help prevent these types of attacks in the future.
We apologize for any inconvenience this may have caused.
One thing that remains concerning for me is that it would appear GoDaddy learned of this incident when they were notified by Escrow.com (“we were alerted“). Had the person who had access to a GoDaddy employee account not have done something as obvious as taking down the Escrow.com homepage, I wonder if any further damage could have been done and gone undetected. For instance, it would be concerning if domain name account changes, nameserver changes, or even transfer approvals could have been done.
Like many companies, most, if not all GoDaddy employees are working from home during the coronavirus outbreak. I wonder if this may have played a role in gaining access to the employee account.
Although GoDaddy has reported that this is under control, I would advise people to reach out to GoDaddy right away if they notice something strange with their accounts. I don’t know how much of a role it would play, but I recommend enabling two factor authentication (perhaps via Yubikey) and DTVS security on GoDaddy accounts.