The Current State of Domain Hijacking, and a specific look at the ongoing issues at GoDaddy

Domain hijacking is not a new problem, but it is one that gains strength if it is not countered effectively, and we have seen some disturbing trends in the last 6 months.

Cyber criminals are increasingly relying on legitimate and well established domains in order to carry out their maliciousness on the internet. Because of a recent sharp increase in “Business Email Compromise” (BEC) we are seeing more and more domain hijacking.

• The criminals carrying out this activity are using many weapons in their arsenal to gain access to legitimate domains: phishing, social engineering, exploiting vulnerabilities in DNS management software, and delivering malware that gives them access to the unsuspecting user’s information.
• Once they have gained the access to manipulate the DNS of the targeted domains, they will create new hostnames (domain shadowing) that point to a different IP range that is not associated with the root domain, while keeping the root domain intact. Alternatively, they will change the name servers of the domain to point to a new location.
• After they have changed the DNS, they use the positive and well-established reputation of these domains to carry out large scale spam sending and malware hosting campaigns. These are meant to gather more user credentials, infect systems with malware, or disrupt users and businesses to suit their own needs. Using the positive reputation of the stolen domains allows them to evade spam filters and other protection methods that depend on reputational data.

It would be logical to expect that registrars would be on top of the ever-changing landscape that is allowing criminal elements to exploit their users. However, Spamhaus is not seeing enough proactive and mitigating efforts by the world’s largest registrar, GoDaddy. In February we published an article What is going on at GoDaddy?. Two months have passed and we still are seeing a continual issue with legitimate domains registered at GoDaddy being hijacked for nefarious purposes.

The story begins with (the threat of) a “Boom!”

While issues with domain hijacking at GoDaddy have ebbed and flowed over the years, there have been notable events in the past year and a half that have created concern regarding GoDaddy’s commitment to resolving the threats posed to their users, and the collateral damage to the internet at large.

In January 2019, it was reported that some domains that were registered at GoDaddy had been sending ransom bomb threats the previous December. These messages appeared to be from domains owned by legitimate, well-known brands.

The group that appears to have been responsible for the GoDaddy hijacks (and the theft of approximately 4000 additional domains) was a Russian group nickednamed Spammy Bear by independent researcher Ron Guilmette.

• The group was exploiting a vulnerability in GoDaddy’s DNS setup platform that allowed them to register for free accounts. They would then use the automated service to send mail from dormant domains.
• In the research and report authored by cybersecurity journalist Brian Krebs, it was assumed that the vulnerability was related to a discovery by researcher Matthew Bryant in 2016.

Shortly after the reports of this vulnerability were published, GoDaddy stated that the issue has been resolved. Unfortunately, in February 2019, a new campaign began sending out GandCrab ransomware, leveraging the same types of domains that we wrote about in January. When queried, GoDaddy stated that the domains involved in the campaign had been overlooked in the previous sweep, and that the problem from the previous month had truly been resolved after a closer look.

But the problems are ongoing...

Since these two very public reports about the reportedly resolved vulnerability issues at GoDaddy came to light, domain hijacking by and large has not ceased and in fact continues apace. In June 2019, Spamhaus researchers observed a large number of domains that were being abused by miscreants who were adding hostnames to be used for their own malicious purposes (domain shadowing): Spamhaus observed over 10,000 domain-shadowed legitimate domains that were pointing to Russian infrastructure. Our researchers reported these domains to GoDaddy directly and received no response. Only when we began reporting the issue to a wider audience did we see domain shadowing resolve itself…but still received no public response from GoDaddy.

In December 2019, our researchers identified that once again, domains registered at GoDaddy were being hijacked by means of changes being made to the nameserver records.

Since that time, we have seen up to 100 newly hijacked domains daily, all pointing to Russian space. This information has been reported to GoDaddy multiple times, but we have received no response or acknowledgement that an issue has been identified or resolved. A worrisome issue regarding both of the incidents that our researchers have been tracking is that there is no clear explanation of the cause. When we find these hijacked GoDaddy-registered domains, we list them, and then their users reach out to ask us why. We’ve found that some users have implemented best practices, only to be hijacked again. No useful explanation has been provided to them by GoDaddy.

So, as we asked in February, we ask again now: “What is going on over at GoDaddy?”

We understand that GoDaddy is the largest domain registrar in the world, and as such is a big target and attracts a lot of attention from malicious parties on the internet. GoDaddy is also not alone in their struggle with domain hijacking - all registrars are vulnerable in some way. However, it would seem that they are inexplicably resistant to accepting freely offered help from the larger internet community.

Spamhaus’ mission is twofold: to protect users of the Internet, and to provide help and advice to operators that are under siege by malefactors. For anyone reading and learning about what we have seen and reported, please feel free to reach out to us and ask for help - that is what we’re here for.

Users that are being impacted by Hijacks and have been listed by Spamhaus

If you find that your domain has been hijacked, please first reach out to GoDaddy’s domain registration support. They will help you clean up and recover your account and/or domains. After everything has been restored, only then can Spamhaus remediate your listing. We cannot remove listings while they remain hijacked, for your safety and that of the rest of the Internet.

Come and learn more at our webinar with ISC!

We will be discussing what Spamhaus has seen from a domain hijacking perspective, some of the methods we have used to detect and track the hijacks, and some best common practices both domain owners and registrar/registries can implement to protect against those that wish to steal domains for their own malicious means. To participate, register on this page.