GoDaddy has an interesting feature. If a hacker creates a FREE GoDaddy account they can and have created a whole bushel of mischief.
If you have a free account, you can use GoDaddy’s managed DNS service for free for a limited amount of time.
Only problem is that GoDaddy didn’t validate that you owned the domain that you wanted to add to your free account.
Once you own DNS for that domain you can send mail, read mail and act as a man in the middle attacker of the domain’s web site.
Since the account was free, the hacker didn’t actually own the domains in question and the IP addresses associated with the attack were not in the U.S., good luck finding the culprit.
This attack method apparently also works at other registrars.
Since the domains in question were dormant, nobody noticed or cared that they had been taken over for a month – long enough to send out tens of millions of spam emails. Two recent campaigns, one threatening to expose pictures of you watching porn if you didn’t send them money and the other saying that there was a bomb in your building and it would go off if you didn’t pay up, used these hijacked domains.
Thousands of domains were compromised. Soon after the story of the attack method was published GoDaddy said that they put a fix in place.
They also said that they fixed 4,000 hijacked domains.
The only problem is that there are many thousands of more domains that they didn’t detect or fix.
GoDaddy says that they have now fixed more domains but are also looking for other similar attack vectors that may not have been closed.
GoDaddy now says that they believe that it is not possible to hijack domains any more using this specific method. Other methods – not so sure. Existing domains compromised? You’re on your own.
Some researchers think that some of GoDaddy’s DNS servers have been compromised but GoDaddy says that its not the case.
One of the attacks using this scheme distributed the Gand Crab ransomware. One company, A.S. Price Mechanical, a small metal fabricator in South Carolina, was hit with the ransomware. The ransom was initially $2,000 but went to $4,000 while they decided what to do.
Charlene Price, co-owner of the company, said “it’s not fair or right and this is unjust“. “We have accepted the fact, for now, that we are just locked out of our company’ information. We known nothing about this type of issue other than we have to pay it or just start again.”
While she is absolutely correct, the crooks don’t really care. The fact that she is not knowledgeable about protecting her valuable company information is also not of concern to attackers.
So what do you need to be doing?
First of all, if you don’t have offline backups – ones that cannot be infected – you need to create them now and keep them current. I keep mine in a bank vault. The good news is that it is not a smart vault and the vault does not have an internet connection so it will be pretty hard to encrypt those backups.
Second, beef up employee training. The A.S. Price attack happened when an employee clicked on a malicious link.
Third, add robust anti-malware protections. There are lots of them out there. It does cost money, but so does losing access to your data. In the A.S. Price case it is $4,000 (not including the cost/value of losing access to the data). While it is a lot of money, what if they asked for $100,000 instead. It has happened. And the hackers have been paid.
Next, have a strong, tested incident response program. A few months before the Sony attack, the same group attacked some of Sheldon Adelson’s casinos (the Sands in Las Vegas). Because Adelson’s IT team had a tested incident response program and even more importantly, they were empowered to act without a committee’s approval, they minimized the damage so much that you didn’t even hear about the attack. Visualize this. Geeks with pocket protectors running through the casino’s floor unplugging live, operational, computers so they didn’t get infected. Unplugging the entire Sands empire from the Internet. WITHOUT A SINGLE MEETING. That is training, trust and empowerment. And it worked!
Finally, implement the processes that Homeland Security recommended in Emergency Directive 19-01.
Information for this post came from Brian Krebs.