GoDaddy Weakness Strikes Again
Bomb Threats, Hijacking and Mayhem
By: Cristal M Clark
Back in 2014 GoDaddy had an issue with it’s email servers being left unsecure, for months. Millions of customers who paid GoDaddy to ensure that spam emails could not get through were left, well pretty much SOL.
The company I worked for at the time did a lot of international travel, and when you travel to places like the UAE, sometimes when that particular foreign government wants to, they can see your emails before you do and when you start getting sexually explicit and vulgar emails it looks bad to those respective governments.
We had called GoDaddy through the course of three long and painful months just about every other day, getting nowhere, they were not telling customers the truth, until finally I was able to escalate our grievance so far up the ladder that GoDaddy finally came back and told us the truth.
Ever since then I have personally, not been a huge advocate of GoDaddy’s. The dishonesty over that matter left a rather sour taste within my mouth.
Recently it was discovered that GoDaddy is responsible for yet another vicious worldwide situation in that and, I am sure you will recall, back on 12/13/18 rather troubling emails were being sent worldwide, email bomb threats, which happened to cause complete hysteria, closures, lockdowns, mass evacuations of schools, hospitals, malls and the like.
Well all evidence points to GoDaddy services being the culprit that allowed for the hoax emails demanding bitcoin.
Evidence obtained from the ongoing investigation shows that a weakness at GoDaddy allowed the scammers to hijack an estimated 78 domains, some which belonged to some pretty big names; Expedia, Yelp, Mozilla as well as other legitimate organizations and, people.
That very same exploit allowed the cash strapped scammers to hijack thousands of other domains which belonged to another list of well known organizations for the use of other malicious email campaigns.
One of which threatened to publish embarrassing sex videos, proof of sexually explicit internet searches such as for pornography, unless targets paid. That particular campaign started long before the bomb threats, when I covered that story it was noted that the campaign organizers obviously did not understand how to send a threat to those of us in the US. It was so poorly written that it was completely and utterly laughable.
The emails in December were sent using a technique which is commonly known as snowshoe spamming, which pretty much guarantees the emails delivery because it weakens the reputation metrics spam filters use to weed out well, spam and junk mail.
Snowshoeing is a favorite because it utilizes well known domains, domains that are marked as trusted domains. For instance, Yelpmarketingservices.com is a Yelp domain and it was hijacked and used in the December bomb threat campaign.
So far at least 78 domains were utilized, that number is more than likely to grow. As far as the other domains used for the other campaigns, well that number has yet to be reported but is more than likely even higher.
Unfortunately, for GoDaddy this is only the tip of the iceberg. It has long been known that has always had issues with orphan domains and in this case the evidence is overwhelmingly clear that GoDaddy needs to clean up those orphaned domains that are sitting idle until the next large scale spam email campaign.
independent researcher Ronald Guilmette has discovered that over the last few years, a person or group has commandeered almost 4,000 domains belonging to about 600 people, companies or organizations. Some of those are McDonalds, FaceBook (not shocking), International Hilton, MasterCard, just to name a few more well known domains.
Ronald has given the individual or group the name of Spammy Bear, which has subsequently been tied back to Russia, incidentally.
Here’s where things get a little sticky for GoDaddy, just about all of the hijacked domains had name servers that listed domaincontrol.com, the domain for GoDaddy’s managed DNS service, just prior to them coming under Spammy Bear’s control.
So no, this is not looking promising for GoDaddy, at all. GoDaddy’s DNS service has supplied some of the most nefarious scammers on the Internet with an almost unlimited number of high-value domains. While GoDaddy would have you believe that the abuse relied on domain holders not properly locking down their DNS records, technically, DNS providers are actually, ultimately responsible for the abuse of their services.
It is unclear whether GoDaddy will take responsibility for the glaring weakness within it’s DNS servers, given it’s prior history, I would venture to guess that answer to be no.
Cristal M Clark