According to a report published earlier today on Krebs on Security, a popular and well-sourced cybersecurity blog, there was an “incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters.” This social engineering targeted the Liquid.com domain name owned and used by a cryptocurrency company called Liquid. Other cryptocurrency platforms may have also been targeted, according to Krebs.
Prior to reading this report, I read a blog article published by Liquid CEO Mike Kayamori on the Liquid corporate blog discussing a “security incident” involving the company’s domain name. In the blog article, Kayamori reported the following involving GoDaddy:
“On the 13th of November 2020, a domain hosting provider “GoDaddy” that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor. This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
I had reached out to a representative from GoDaddy after reading the article yesterday, but I have not heard back. This is understandable given the fact that my email was sent late on a Friday evening. A company representative did provide a comment in the Krebs on Security article.
While this issue appears to have been limited to a number of cryptocurrency platforms, one has to wonder if other domain names could be at risk. Could the people behind this social engineering have targeted high value domain names and either transferred them to a different registrar or moved them to a different account for a period of time and then transferred them out at a later date. Alternatively, could nameservers or forwarding have been changed without the registrant knowing?
I use – and strongly recommend that others use 2 factor authentication on their domain registrar accounts. GoDaddy uses various forms of 2 factor authentication, including Yubikeys. GoDaddy also offers a service called DTVS that requires the registrant to confirm outbound transfers and account changes over the telephone with their GoDaddy account representative. I would be interested in knowing if these added security measures could still be bypassed.
Put simply, it would be very good to get some reassurance from GoDaddy that client accounts and domain names remain secure.