An unknown attacker has exploited this weakness to deploy multiple malicious email campaigns
At the end of last year a campaign of bomb threats via email provoked massive evacuations and closures of activities in hundreds of organizations in the United States, Canada and some areas of Latin America, the fact was reported by researchers from around the world, such as the network security and ethical hacking experts from the International Institute of Cyber Security.
Recently, a detailed investigation was published on this campaign, where it was concluded that it was possible thanks to a critical vulnerability in GoDaddy that allowed the attackers to hijack dozens of domains belonging to Mozilla, Yelp, among others organizations. According to the investigators, using the same exploit the attackers managed to hijack thousands of domains belonging to multiple organizations to deploy other campaigns of spam or blackmailing against some unsuspecting users.
The distribution of malicious emails through legitimate domains was the cornerstone of this attack campaign. This technique, known as “snowshoe spam”, gives these messages a normal and legitimate appearance, which increases the possibility that malicious email is delivered, as reported by experts in network security.
Domains that sent these messages include wotdonate.com, wothome.com, wotlifestyle.com, wotnetwork.com, and wotscooking.com, which are registered as Expedia property. Other domains, such as yelpmarketingservices.com, virtualfirefox.com and blueestatescoffee.com, belong to organizations such as YELP and Mozilla. In total, 78 domains used to distribute spam were registered, although there are no more sites involved.
On the other hand, the number of domains hijacked by the same user or group for other campaigns is much larger. An analysis of the network security expert Ronald Guilmette shows that, in the most recent years, this individual or group has hijacked over 4 thousand domains belonging to more than 500 companies or individuals, including sites like MasterCard International, Hilton International, ING Bank, MIT, McDonalds Corp. And even the DigiCert certifying authority.
The evidence collected by Ronald Guilmette is sufficient to link the December 2018 bomb threat campaign with other email fraud campaigns, although researchers must still find the identity of the person or group of people behind of these attacks. Preliminarily, the investigators have nicknamed the responsible entity “Spammy Bear”, as the attacks usually involve IPs located in Russia.
On the other hand, GoDaddy responded through an official statement: “After conducting an internal investigation, our teams have confirmed that a malicious actor exploited our DNS configuration process. We have already devised a solution, which we are in the process of implementing. In spite of the malicious actions of the attackers, at no time changed the ownership of the accounts of the clients, nor exposed their personal information”, claims the organization.
Although GoDaddy teams did not disclose technical details about exploited vulnerability, several evidences show that it was a weakness present throughout its structure, which has affected other DNS service providers on previous occasions.