GoDaddy Authentication Vulnerability Enables Spam Email Campaigns
This particular authentication weakness may have left over 550,000 domains vulnerable to hijacking.
Hackers have been able to hijack GoDaddy domains and create disturbing spam email campaigns that included hoax bomb threats and sextortion.
The scams appear to have taken advantage of GoDaddy authentication weaknesses. The vulnerability, which was highlighted by researcher Ronald Guilmette, enabled bad actors to add a domain to their account without requiring verification that they owned the domain.
Guilmette’s research showed that similar authentication weaknesses have impacted other major internet services providers (ISPs) and is being used by cybercriminals to coordinate devastating phishing and malware attacks.
Scam email campaigns have previously been used to devastating effect, with one particular hoax bomb threat campaign in 2018 prompting mass evacuations from schools across the US.
On this occasion, the scam used more than 75 domains registered to Mozilla, Expedia and a host of other sizeable organisations.
Hackers have also used thousands of other domains, all of which were attributed to well-known companies, to extort victims with alleged “private” videos.
This technique is known as snowshoe spamming. Through taking advantage of legitimate domains, hackers are able to significantly boost the chances of fooling spam filters.
Investigation of this type of scam discovered that the majority of affected domains had received domain-resolution from GoDaddy before being hijacked.
Speaking to ArsTechnica, GoDaddy confirmed the vulnerability and said action had been taken to resolve the issues.
A spokesperson for the company said: “After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process.
“We’ve identified a fix and are taking corrective action immediately. While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change, nor was customer information exposed.”
Exact details of the weakness were not disclosed by GoDaddy. However, having downloaded a copy of zone files for domains ending in .com, Guilmette claims to have identified more than 34 million that led to GoDaddy DNS servers.
Guilmette estimates that this particular authentication weakness may have left over 550,000 domains vulnerable to hijacking.