GoDaddy Domain Registrations Infected with Ransomware
I have just come across this article online and anyone who is using GoDaddy.com for their domain names should check it out.
GoDaddy.com has stated they have the issue under control and from reading the article I don’t think there has been too many domain names hit but if you have site online registered at Godaddy its best to check.
Dont Forget GoDaddy has extended there $1.99 dot com domain registration promotion until the end of the week so take advantage if you have any domains that you want to register.
Some webmasters that have used GoDaddy to register their domain names have had their sites infected with malicious ransomware, it has been revealed, a consequence of criminal hackers accessing GoDaddy’s DNS records.
Fraser Howard of online security firm, Sophos, described the attack as “exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses. The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers.”
This essentially means that users trying to access previously trustworthy sites are redirected to rouge servers due to hackers adding an additional subdomain. By doing this, the site appears still somewhat legitimate as the URL remains the same. The exploit appears to have originated in Russia.
The rouge server that a user is redirected to displays an alarming page that accuses the user of various cybercrimes while demanding a ransom to ‘unlock’ their computer. The page is region specific so should you access the page from a UK based IP address you will be confronted by a picture of a police officer in a British uniform next to a banner reading “Police Central e-crime Unit”. The page could be considered especially convincing as it features an animated .GIF picture that mimics footage being recorded from a webcam. The page claims “If you use a webcam, videos and pictures were saved for identification”
Sophos believes that the cause of this attack was weak or stolen user passwords. GoDaddy went on to release a statement that would confirm this to be true:
“Go Daddy has detected a very small number of accounts have malicious DNS entries placed on their domain names. We have been identifying affected customers and reversing the malicious entries as we find them. Also, we’re expiring the passwords of affected customers so the threat actors cannot continue to use the accounts to spread malware.
We suspect that the affected customers have been phished or their home machines have been affected by Cool Exploit as we have confirmed that this is not a vulnerability in the My Account or DNS management systems.”
This follows a previous, larger scale disruption of service in September that affected sites that were either hosted by GoDaddy or who had registered a domain through them. In that instance a single member of hacker and activist collective, Anonymous, claimed responsibility while GoDaddy maintained that the “service outage was not caused by external influences.”