‘Hacked’ Go Daddy Sites Serve Up Ransomware

Sophos asks how Go Daddy DNS records might have been compromised

Doman Name Server (DNS) records of Go Daddy-hosted websites have been compromised, potentially placing many at risk of being infected with malware known as ransomware.

By hacking DNS records, cyber crooks have been able to add one or more subdomains with corresponding DNS entries, so some visitors who access affected webpages are sent to malicious websites. Where hackers tricked people into visiting those subdomains, malware may have been downloaded onto victims’ machines. Such attacks are good at getting around security protections.

“The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers,” a blog post from security firm Sophos read. “This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe.”

Normally, as illustrated, victims can see they are at the wrong site, using the IP address, but this attack has apparently got round that.

DNS infection

Cool ransomware

From there, code runs, and exploit kit called ‘Cool’ is deployed and ransomware installed.

The ransomware served depends on the country of origin. In the UK, it is malware posing as a legitimate message from the Met’s Police e-Crime Unit (PCeU). It locks the computer, on the grounds that the computer was guilty of “unauthorised cyberactivity”, asking for payment to unlock it.

It remains unclear how the Go Daddy DNS records were hacked. The company had not responded to a request for comment at the time of publication.

Sophos suggested a likely cause was compromised user credentials, but was unable to check this as Go Daddy does not allow users to check historical login activity. “Enabling users to view historical login activity is a very simple way of helping to spot malicious activity early. Let’s hope Go Daddy change their stance on this,” the security firm added.

“Given the prevalence of attacks against web sites for the purpose of malware distribution it is high time that associated services (Registrars, hosting providers etc) pay adequate consideration to security.

“Users should not be allowed to use weak passwords. Two-factor authentication should be readily available, if not enforced.” Sophos has also contacted Go Daddy about the attacks.

In September, it was rumoured Go Daddy had been hacked, but the company said downtime was due to “a series of internal network events that corrupted router data tables”.

Think you’re a security pro? Try our quiz!