WASHINGTON–Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a
bomb threat hoax that shut down dozens of schools, businesses and government buildings and even credit unions — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, according to a new report by KrebsOnSecurity.
The vulnerability involves approximately 4,000 companies, according to Brian Krebs.
“Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains tied to GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant website names currently owned and controlled by some of the world’s most trusted corporate names and brands,” wrote Krebs on his blog.
Similar Campaigns
Krebs noted in July 2018 email users around the world began receiving spam that began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a Bitcoin ransom was paid. On Dec. 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty Bitcoin ransom was paid by the end of the business day.
As CUToday.info reported, the latter threat led many credit unions to evacuate their building and contact police.
What’s been overlooked in the two campaigns, according to Krebs, is the degree to which each achieved an unusually high rate of delivery to recipients.
“Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains,” wrote Krebs. “The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.
“However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through website names that had already existed for some time, and indeed even had a trusted reputation,” Krebs continued. “Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies.”
Credit for Discovery
Krebs credited the latter discovery to anti-spam researcher Ron Guilmette, who discovered virtually all of those companies had at one time received service from GoDaddy.com, the Scottsdale, Ariz.-based domain name registrar and hosting provider.
Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.
“But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016,” Krebs reported.