Bomb threat crooks used GoDaddy vulnerability to hijack popular domains

by Linas Kiguolis - - 2019-02-06

Hackers responsible for the bomb threat campaign manage to hijack a big number of well-known domains

Bomb threat crooks use GoDaddy vulnerability to hijack popular domains A security flaw in GoDaddy allowed cybercriminals to misuse numerous popular domains

As we guess, you have already heard about a bomb threat which emerged on the 13th of December last year. Hackers were sending email messages warning about bombs hidden in various public buildings (schools, hospitals, etc.) in the United States of America and Canada. In order not to activate the bomb, victims were urged to pay an amount of $20,000 in BTC.^[1]

Cybersecurity researchers took actions to investigate this cyber attack and found out that all this malicious work was done by manipulating a vulnerability found at GoDaddy.^[2] As a result, hackers got an opportunity to hijack numerous domains such as wothome.com, wotdonate.com, wotlifestyle.com, wotnetwork.com, Yelpmarketingservices.com, virtualfirefox.com, and others which belong to Mozilla, Expedia, and Yelp.

However, this is not all of the cruel activities that have been performed by the same group of cybercriminals. These people have also managed to misuse the same weakness at GoDaddy to overtake other well-known domains and scam victims with suspicious email letters. In this case, hackers tried to threaten users that their odd sex videos will be released widely throughout the Internet if the victims fail to agree to pay the demanded ransom.

Crooks used the spamming technique called “snowshoe”

Computer experts have figured out that the crooks were using a well-known spam technique recognized as snowshoe. The description of snowshoers looks like this:^[3]

Snowshoers use many fictitious business names (DBA – Doing Business As), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build brand reputation based on a real business address, a known domain and a small, permanent, well-identified range of sending IPs.

Crooks responsible for spreading malicious emails worldwide and hijacking domains of well-known companies managed to make their emails look legitimate. As a result, users have no doubts while opening and reading these messages.

4000 domains, including the ones that belong to Facebook, Warner Bros, and McDonalds Corporation, hijacked

For further information, a cybersecurity researcher named Ronald Guilmette discovered that the hackers have misused around 4000 of legitimate and well-known domains. Most of them belong to well-known owners:

Facebook
MasterCard International
Dignity Health
Warner Bros
McDonalds Corporation
Massachusetts Institute of Technology
etc.

According to the security researcher's speculations, there are links between the bomb threat phishing campaign and other malicious campaigns which include sextortion,^[4] lost package delivery mails, tickets for parking, etc.

Nevertheless, Guilmette found out that the domains were affected due to a system vulnerability which allowed the hackers to perform their illegitimate work. Guilmette asked the GoDaddy organization for some answers and the company proved him right. It claimed that this malicious activity is a result of misused DNS setup settings which allowed the cybercriminals to create dubious DNS entries on the domains themselves.

A cybersecurity researcher has identified that the IP address came from a Russian provider

Even though cybersecurity researchers have not yet discovered the guilty ones, Ronald Guilmette has found that the IP address which belonged to the corrupted domains came from Russia as the attackers been using the reg.ru provider. Moreover, Guilmette has guessed that the cybercriminals might have been hiding behind the name “Spammy Bear”.^[5]

Some resources say that a closer look to orphan domains might reveal all answers. For example, the virutalfirefox.com domain, which was used for sending email messages about bomb threats, was resolved to an IP address that was connected to the reg.ru provider in December 2018.

Talking about the cause of this attack, another cybersecurity researcher, known as Matthew Bryant, has discovered that the cybercriminals were allowed to launch such an attempt due to a vulnerability which was found in GoDaddy. The researcher thinks that the providers are responsible for this incident and should take care of it:

A lot of providers say: ‘It’s not our fault. It’s a user mistake,' Bryant explained. But if the case is that the user is going to make this mistake every time, it’s still a problem and it causes very real issues. Everybody can say: 'It’s this person’s responsibility. It’s not ours.’ But at the end of the day, it’s the providers who are going to have to take responsibility to get it fixed.

Furthermore, Guilmette has created a list of all known domains that have been infected by Spammy Bear hackers. In addition, some of them were used to send malicious email letters that claimed about the bomb. Sadly, as long as GoDaddy takes care of 74 million domains, 553,000 of them were left unprotected and vulnerable for the hacking attempt due to the DNS service security flaw that allowed hackers to reach a big number of popular Internet domains.

About the author

Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

References

^ Dan Goodin. Mass email hoax causes closures across the US and Canada. Arstechnica. Technology information.
^ GoDaddy. Wikipedia. The free encyclopedia.
^ Frequently Asked Questions (FAQ). Spamhaud. Information worldwide for technology users.
^ Jaeson Schultz. Anatomy of a sextortion scam. Talos Intelligence. Blog.
^ Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com. Krebson security. Tech info.