Hosting and domain name company GoDaddy says it believes a “sophisticated threat actor group” has been subjecting the company to a multi-year attack campaign, the most recent of which occurred in December 2022.
In December, it received complaints about customer websites being periodically redirected to malicious sites. It turned out malware caused the redirection after threat actors compromised GoDaddy’s cPanel shared hosting servers. How the attackers got in remains a mystery.
GoDaddy said in a statement:
“As our investigation continued, we discovered that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites. Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.”
The company also said it believes that previous breaches in March 2020 and November 2021 were part of the multi-year attack campaign from the same threat actor group.
In March 2020, an attacker compromised 28,000 hosting account login credentials belonging to customers and some GoDaddy employees. Then, in November 2021, 1.2 million Managed WordPress hosting environments were compromised. The stolen data included email addresses, original WordPress admin credentials, database credentials, and private keys.
GoDaddy said it’s working on the ongoing issue:
“We are working with multiple law enforcement agencies around the world, in addition to forensics experts, to further investigate the issue. As we continue to monitor their behavior and block attempts from this criminal organization, we are actively collecting evidence and information regarding their tactics and techniques to help law enforcement.”
Make sure your hosting account is secure
If you are using GoDaddy or other hosting services, now is a good time to review your credentials and ensure your account is as locked up as possible. The guideline below is for GoDaddy customers:
- Remotely log out of your account. If you think your hosting account has been compromised, doing this will sign you and the possible attacker out from accounts opened on different devices and browsers.
- Use a password manager, which will help you create long and complicated passwords without having to commit them to memory. Password managers also help you avoid phishing sites by not filling in credential fields if you mistakenly end up on a phishing page you can’t distinguish from the real thing.
- Change your Support PIN. You can find this on your GoDaddy Login & PIN page.
- Change all your hosting-related email credentials and FTP passwords.
- Use two-factor authentication (if you’re not using it already) for that extra layer of protection for your account.
- Change the payment methods you have stored in your account, and delete those you don’t use. It would also be good to keep an eye on your bank account transactions and be ready to flag those that are fraudulent.
- Remove delegate access for anyone you’ve allowed into your account.
- Delete unknown API keys.
- Update your domain contact information to avoid anyone claiming ownership of your site.
Stay safe!
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.