Cyber Attackers Used a GoDaddy Vulnerability to Scam Users

In July 2018, users started reporting on a wave of spam emails that tried to scam them by pushing a phony story. It read that a hacker had infiltrated their computers and had used the webcam to record an indecent video of the victim which was about to be sent out to friends and relatives unless a ransom is paid. There was nothing original about the story, but the wave of sextortion emails was notable for a couple of reasons. First, it contained a genuine password that the recipient had used at one point in the past, which made the scheme sound a lot more convincing. The second interesting thing about the campaign was the sheer number of messages and the fact that very few were stopped by anti-spam filters.

Fast forward a few months, and you'd see another wave of spam messages. It was aimed at various businesses, hospitals, and schools across the US and Canada, and it carried bomb threats. Once again, a couple of factors made the operation interesting. On the one hand, it didn't look terribly professional. The story wasn't very believable, but perhaps the most ridiculous aspect was the ransom demand. The crooks wanted $20,000 in bitcoins before the end of the day which, many experts agree, is physically impossible to get unless you've been preparing in advance. Despite all this, the campaign was seriously disruptive. Out of an abundance of caution, law enforcement ordered mass evacuations of the targeted buildings, and companies ended up losing significant amounts of money because work stopped. Like the sextortion scam, this wave also involved a large number of emails that went through the filters without any serious problems.

Because of this, experts started thinking that maybe the two campaigns are connected. Right now, they are not only sure, they know how the crooks did it.

Hackers hijacked dozens of dormant domains to send spam

First of all, let's take a look at what made the sextortion and bomb threat campaigns so successful. Usually, when crooks need to send spam, they have two options. They can either register new domains and create email accounts associated with them or hijack existing accounts. There are a few drawbacks with both strategies.

If hacked emails are involved, the whole thing could come screeching to a halt if the owners find out that something's wrong. On top of all this, getting your hands on a significant number of compromised accounts could be difficult and expensive.

Registering new domains isn't free, either, and the spam that's coming from them is likely to be blocked because the domains haven't had time to gain any sort of "reputation". If you hijack old domain names, however, things are different.

When analyzing the spam emails from the two campaigns, security researcher Ronald Guilmette noticed that the senders' addresses were mostly associated with domains that were registered years ago, and he was quite shocked to find out that many of them belonged to serious companies like MasterCard, Facebook, Yahoo!, Warner Bros Entertainment, etc. The domains weren't pointed to active websites, and it looked like someone had registered them and had then forgotten about them. They all had one thing in common, though – they were all using GoDaddy's nameservers.

A flaw at the world's largest domain registrar enabled the spam campaigns

The mechanism itself isn't brand new. Several years ago, security engineer Matthew Bryant discovered that a flaw in the way a few of the world's biggest hosting providers handled NS records made domain hijacking possible. GoDaddy's systems weren't inspected at the time, but it would appear that they had a pretty similar fault.

It seems that if you have a GoDaddy account associated with one of the registrar's nameservers, you can control any domain name as long as it uses the same nameserver. The system doesn't check whether you own or have the right to manage the domain and will let you change its DNS settings from the client are at GoDaddy.com. In response to a question from Ars Technica, GoDaddy admitted that the problem is real and that the hackers did manage to take advantage of it. At the moment, the registrar is in the middle of implementing a fix.

Experts believe that the hacking crew that sent out the sextortion scam and the bomb threat alerts comes from Russia which is why they've named it Spammy Bear. For these two campaigns, the crooks took control of at least 78 domains according to Ars Technica, but Ronald Guilmette reckons that over the years, they've launched quite a few other spam operations involving as many as 4,000 GoDaddy-registered domain names.

Hopefully, both GoDaddy and the rest of the domain registrars and hosting providers will finally do what's necessary to ensure that this never happens again.