An unknown attacker has exploited this weakness to deploy multiple malicious email campaigns
At the end of last year a campaign of bomb
threats via email provoked massive evacuations and closures of activities in
hundreds of organizations in the United States, Canada and some areas of Latin
America, the fact was reported by researchers from around the world, such as
the network security and ethical hacking experts from the International
Institute of Cyber Security.
Recently, a detailed investigation was
published on this campaign, where it was concluded that it was possible thanks
to a critical vulnerability in GoDaddy
that allowed the attackers to hijack dozens of domains belonging to Mozilla,
Yelp, among others organizations. According to the investigators, using the
same exploit the attackers managed to hijack thousands of domains belonging to
multiple organizations to deploy other campaigns of spam or blackmailing
against some unsuspecting users.
The distribution
of malicious emails through legitimate domains was the cornerstone of this
attack campaign. This technique, known as “snowshoe
spam”, gives these messages a normal and legitimate appearance, which
increases the possibility that malicious email is delivered, as reported by
experts in network
security.
Domains that sent
these messages include wotdonate.com, wothome.com, wotlifestyle.com,
wotnetwork.com, and wotscooking.com, which are registered as Expedia property.
Other domains, such as yelpmarketingservices.com, virtualfirefox.com and blueestatescoffee.com, belong to organizations
such as YELP and Mozilla. In total, 78 domains used to distribute spam were
registered, although there are no more sites involved.
On the other
hand, the number of domains hijacked by the same user or group for other
campaigns is much larger. An analysis of the network security expert Ronald
Guilmette shows that, in the most recent years, this individual or group has hijacked
over 4 thousand domains belonging to more than 500 companies or individuals,
including sites like MasterCard International, Hilton International, ING Bank,
MIT, McDonalds Corp. And even the DigiCert certifying authority.
The evidence
collected by Ronald Guilmette is sufficient to link the December 2018 bomb
threat campaign with other email fraud campaigns, although researchers must
still find the identity of the person or group of people behind of these
attacks. Preliminarily, the investigators have nicknamed the responsible entity
“Spammy Bear”, as the attacks usually involve IPs located in Russia.
On the other hand, GoDaddy responded through
an official statement: “After conducting an internal investigation, our teams
have confirmed that a malicious actor exploited our DNS configuration process.
We have already devised a solution, which we are in the process of
implementing. In spite of the malicious actions of the attackers, at no time
changed the ownership of the accounts of the clients, nor exposed their
personal information”, claims the organization.
Although GoDaddy teams did not disclose
technical details about exploited vulnerability, several evidences show that it
was a weakness present throughout its structure, which has affected other DNS
service providers on previous occasions.