The same "sophisticated" threat actor has pummeled the domain host on an ongoing basis since 2020, making off with customer logins, source code, and more. Here's what to do.

5 Min Read
The GoDaddy headquarters in Tempe, Arizona.
Source: GoDaddy

For years, the domain registrar and Web hosting company GoDaddy has experienced a cyber barrage of extraordinary scale, it has confirmed — affecting both the company and its many individual and enterprise clients.

As described in its 10K filing for 2022, released Feb. 16, the company has been breached once every year since 2020 by the same set of cyberattackers, with the latest occurring just last December. It's worth also mentioning that the company has been the subject of earlier cyber incursions as well. The consequences to GoDaddy are one thing, but, more notably, the breaches have led to data compromises for more than 1 million of the company's users.

That may well be the key to why the bad guys keep coming back. Because of the nature of its business, GoDaddy is a connecting link to millions of businesses around the world. As Brad Hong, customer success lead at Horizon3ai puts it: "This is the equivalent of your landlord's office being left unlocked, giving a bad actor access to the keys to your house."

GoDaddy's Three-Headed Breach

While the world was coming to grips with COVID-19, thousands of GoDaddy customers had a second problem on their hands. In March 2020, the company discovered that an attacker had compromised the login details for a small number of their employees, as well as 28,000 of their hosting customers.

It was a harbinger of worse things to come.

In November 2021, a threat actor got their hands on a password that allowed them access to Managed WordPress, GoDaddy's hosting platform for building and managing WordPress sites. This case touched 1.2 million Managed WordPress customers.

There was yet more. In a statement published alongside its 10K, GoDaddy shared details of yet a third compromise.

"In early December 2022, we started receiving a small number of customer complaints about their websites being intermittently redirected," the company said. It turned out that an attacker had breached and planted malware on the company's hosting servers for cPanel, a control panel program for Web hosts. This malware intermittently redirected users from the websites they intended to visit, to malicious sites.

In their statement, the company claimed to "have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities."

The Supply Chain Problem With Hosting Services

According to Domain Name Stat, GoDaddy is far and away the largest domain name registrar on the Internet, capturing more than 12% market share with its nearly 80 million registered domains. Scale, alone, would make it an attractive target for cyberattacks, but being a hosting service makes this a whole other animal.

"GoDaddy and other Web hosting sites are prime targets for adversaries looking to conduct supply chain attacks," says Allie Roblee, intelligence analyst at Resilience. A company may take care to implement strong security practices and software, shunting phishing attacks, and patching up software bugs, yet still be vulnerable through a trusted provider like their Web hosting service. "Breaching large service providers like GoDaddy allows adversaries to compromise organizations and individuals they may have been unable to get into directly."

Of course, once attackers get in through the side entrance, they can do anything from stealing credentials to dropping malware, redirecting users to malicious sites, planting backdoors for later use, and much more. But "the implications for these compromises go even beyond that of security," Hong warns.

Consider an innocent person who intends to visit a business's website, but instead ends up redirected to a malicious site. Would that person ever risk visiting that business' website again? This, Hong points out, "hurts the reputation and operations of thousands, if not millions, of legitimate businesses."

Beyond that, there's a broader cost. "Weak security at this vendor level additionally allows attackers to force multiply their ability to carry out whatever objective they wish to," he explains. Such compromises "not only provide them with rich PII and private key data intelligence, but also an extensive network of websites and servers to do their bidding — similar to an IoT botnet, but instead of multiplying traffic, it multiplies the chances of successfully carrying out attacks which rely on humans as a weakness."

What GoDaddy Customers Can Do

If it didn't end that first or second time, how likely is it that the campaign against GoDaddy is over now? "It's possible," Roblee warns, "that the attackers still have access to GoDaddy's infrastructure or have the capability to find vulnerabilities in the stolen source code they can exploit to regain access."

For that reason, she says, "customers should audit any recently changed or uploaded files on their website to ensure that malware has not been installed. Additionally, I would recommend checking historical DNS records to see if any of their domains had been temporarily redirected."

Hong's advice is even simpler. "Affected businesses should change everything!" including all potentially affected login credentials, "and especially deprecating and creating fresh SSL private keys if using them."

Preventative measures will be more necessary going forward than ever before. As GoDaddy assessed in their 10K, the risk of attack "is likely to increase as we expand the number of cloud-based products we offer and operate in more countries."

GoDaddy declined to comment for this article beyond its published statement when contacted by Dark Reading.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights