This month, GoDaddy, a leading web hosting provider, revealed that it had experienced a major security breach over several years, resulting in the theft of company source code, customer and employee login credentials, and the introduction of malware onto customer websites.
It means that the hackers were able to access and modify certain websites hosted by GoDaddy, in a way that allowed them to install malicious software (malware) onto these websites.
This malware could then potentially harm visitors to these sites by stealing their personal information, infecting their devices, or performing other malicious actions.
While much of the media attention has focused on the fact that GoDaddy was targeted by the same group of hackers in three separate attacks. The threat actors typically employ social engineering tactics such as calling employees and luring them to a phishing website.
While reporting the matter to the U.S. Securities and Exchange Commission (SEC) the company said that the same group of hackers was responsible for three separate security breaches, including:
In March 2020, a phishing attack on an employee resulted in compromised login credentials for around 28,000 GoDaddy customers and a few employees.
In November 2021, attackers stole source code and information related to 1.2 million customers by using a compromised GoDaddy password, including website administrator passwords, sFTP credentials, and private SSL keys.
In December 2022, hackers accessed GoDaddy's cPanel hosting servers and installed malware that redirected some customer websites to malicious sites intermittently.
We don't have much information about the cause of the November 2021 incident, except that GoDaddy has said it involved a compromised password and took two months to discover. For the December 2022 malware breach, GoDaddy has not disclosed how it occurred.
However, we do know that the March 2020 attack was initiated through a spear-phishing attack on a GoDaddy employee. While GoDaddy had initially described the incident as a social engineering attack, one of their affected customers actually spoke directly to one of the hackers involved.
GoDaddy is a company with around 7,000 employees and an additional 3,000 workers through outsourcing firms in India, the Philippines, and Colombia.
When employees log in to company resources online, many companies require them to use a one-time password along with their regular username and password. This password can be sent via SMS or generated by an app. But this type of security measure can be easily bypassed by phishing attacks that ask for a one-time password along with the regular password.
However, using physical security keys is a multi-factor option that is resistant to advanced phishing scams. These keys are inexpensive USB devices that implement Universal 2nd Factor (U2F) multi-factor authentication.
Physical security keys are small devices that can help protect your online accounts from being hacked. When you log in to your account, you have to insert the key and press a button on it to complete the login process. This makes it hard for hackers to steal your password or trick you into giving it away. Even if you accidentally go to a fake website, the security key won't work and your account will stay safe.
