Tag Archives: GoDaddy

GoDaddy Users Beware

GoDaddy has an interesting feature.  If a hacker creates a FREE GoDaddy account they can and have created a whole bushel of mischief.

If you have a free account, you can use GoDaddy’s managed DNS service for free for a limited amount of time.

Only problem is that GoDaddy didn’t validate that you owned the domain that you wanted to add to your free account.

Once you own DNS for that domain you can send mail, read mail and act as a man in the middle attacker of the domain’s web site.

Since the account was free, the hacker didn’t actually own the domains in question and the IP addresses associated with the attack were not in the U.S., good luck finding the culprit.

This attack method apparently also works at other registrars.

Since the domains in question were dormant, nobody noticed or cared that they had been taken over for a month – long enough to send out tens of millions of spam emails.  Two recent campaigns, one threatening to expose pictures of you watching porn if you didn’t send them money and the other saying that there was a bomb in your building and it would go off if you didn’t pay up, used these hijacked domains.

Thousands of domains were compromised.  Soon after the story of the attack method was published GoDaddy said that they put a fix in place.

They also said that they fixed 4,000 hijacked domains.

The only problem is that there are many thousands of more domains that they didn’t detect or fix.

GoDaddy says that they have now fixed more domains but are also looking for other similar attack vectors that may not have been closed.

GoDaddy now says that they believe that it is not possible to hijack domains any more using this specific method.  Other methods – not so sure.  Existing domains compromised?  You’re on your own.

Some researchers think that some of GoDaddy’s DNS servers have been compromised but GoDaddy says that its not the case.

One of the attacks using this scheme distributed the Gand Crab ransomware.  One company, A.S. Price Mechanical, a small metal fabricator in South Carolina, was hit with the ransomware.  The ransom was initially $2,000 but went to $4,000 while they decided what to do.

Charlene Price, co-owner of the company, said “it’s not fair or right and this is unjust“.  “We  have accepted the fact, for now, that we are just locked out of our company’ information.  We known nothing about this type of issue other than we have to pay it or just start again.

While she is absolutely correct, the crooks don’t really care.  The fact that she is not knowledgeable about protecting her valuable company information is also not of concern to attackers.

So what do you need to be doing?

First of all, if you don’t have offline backups – ones that cannot be infected – you need to create them now and keep them current.  I keep mine in a bank vault.  The good news is that it is not a smart vault and the vault does not have an internet connection so it will be pretty hard to encrypt those backups.

Second, beef up employee training.  The A.S. Price attack happened when an employee clicked on a malicious link.

Third, add robust anti-malware protections.  There are lots of them out there.  It does cost money, but so does losing access to your data. In the A.S. Price case it is $4,000 (not including the cost/value of losing access to the data).  While it is a lot of money, what if they asked for $100,000 instead.  It has happened.  And the hackers have been paid.

Next, have a strong, tested incident response program.  A few months before the Sony attack, the same group attacked some of Sheldon Adelson’s casinos (the Sands in Las Vegas).  Because Adelson’s IT team had a tested incident response program and even more importantly, they were empowered to act without a committee’s approval, they minimized the damage so much that you didn’t even hear about the attack.  Visualize this.  Geeks with pocket protectors running through the casino’s floor unplugging live, operational, computers so they didn’t get infected.  Unplugging the entire Sands empire from the Internet.  WITHOUT A SINGLE MEETING.  That is training, trust and empowerment.  And it worked!

Finally, implement the processes that Homeland Security recommended in Emergency Directive 19-01.

Information for this post came from Brian Krebs.

Facebooktwitterredditlinkedinmailby feather

GoDaddy Vulnerable To Social Engineering

CSO Online wrote an article on how easy it is to compromise the controls that ISPs and domain registrars have put it place.  I will describe it in more detail in a minute, but here is the short version:

Businesses are much more concerned about keeping customers happy than they are about keeping customers secure.

Sorry, GoDaddy, but that is the truth.  The article’s writer and his friend, a security guy, set out to test GoDaddy’s security.

Here is the crux of the problem:  GoDaddy support says that account resets are a simple process.  If you have forgotten your username or customer number, no problem.  Just click on a link and we will make you happy.  Or you can call them.  Account resets should not be a simple process.  At least you should make the hacker or terrorist work a little bit.

In this case, they called customer support.  They asked for the domain registration information (which is available to anyone on the planet with access to the Internet via Whois or other domain tools).  You can use private registration services to make this harder, but most registrars charge extra for this.  One big registrar that does not charge extra for private registration is 1&1 Internet.  I would say that this is not a security measure, but they would say it is.

GoDaddy asked if the attacker had access to the account’s email.  He said no.  GoDaddy said no problem.

GoDaddy asked for the account PIN.  Didn’t have that either.  Still no problem.

GoDaddy asked for the last 4 of the credit card for the account.  Didn’t have that either.  Still no problem.

The psuedo-attacker was good at making up reasons for why he didn’t have any of this information, but still, he had none of the information.

The final step was to ask the customer to fill out a form and include a copy of a government issued ID.  Of course, no one at GoDaddy has heard of that little used program called Photoshop.

So, after a little work with Photoshop, the attacker-friend submitted the paperwork to GoDaddy.  Apparently, unlike customer service, the people who read paper forms only work first shift on weekdays, so the attacker was slowed down by submitting the paperwork Friday evening.

Monday morning the attacker received an email from GoDaddy at the fake GMail account he had set up for this purpose saying the accounts were registered to a business, so there were additional steps – they needed to contact the business.

Again the attacker made stuff up – this is not a real business, I just thought I had to put something in the blank on the form so there is no one you could call.  Of course, the CSR could have tried to see if the business existed with a Google search, but that, for you Star Trek fans, would have violated the prime directive – a happy customer is one who continues to let us charge his credit card.

At this point, the attacker had control of the domain account and every email that is associated with it.

Not bad for no information and a couple of hours work.

This technique is a favorite of terrorists and hackers.  It is easy and basically untraceable.

To be fair to GoDaddy, MOST businesses are susceptible to this form of attack, whether it is your local department store web site, a registrar, the electric company or whatever.  Social engineering is pretty easy because of the prime directive above – keep the customer happy.

So, until businesses (and really consumers) push back and say if you can’t provide the account number or credit card number or PIN or have access to the account’s email, then we are not going to help you, it will continue to be very easy to attack someone.  AND, it is really only a little bit harder for the attacker to get one of these pieces of information.

A few security product companies will tell you that if you forget your information then you are out of luck .  Absio is one and Silent Circle is another, but this is very rare.  Because, for the most part, customers are more concerned about convenience than they are about security and until that changes, hackers and terrorists won’t have to work very hard.

GoDaddy’s response after the fact was pretty classic:

  • No system is perfect.
  • Creating a fake government ID is illegal so since you brought our bad policies to our attention we might report you to the authorities (they apparently didn’t do that either – more weakness in the process).
  • We are going to hold our breath until we turn blue if you ever do this again or write about it.

Well, they didn’t really say the last one, but the other two are true.

I have said for years that in a battle between security and convenience, convenience will always win.  GoDaddy proved it. Again.

Mitch

 

Facebooktwitterredditlinkedinmailby feather