GoDaddy used as tool for cyberattacks

Hackers are using websites registered with GoDaddy as part of a scheme to break into Web users’ computers.

In a process known as “domain shadowing,” attackers are breaking into GoDaddy accounts and setting up false subdomains that send users to malicious websites. Those sites then inject dangerous code or “malware” into users’ computers, enabling cyberattacks.

ADVERTISEMENT

At least 10,000 unique subdomains have been created for this kind of attack. The threat was reported Wednesday by Cisco Systems outreach engineer Nick Biasini.

“This is an increasingly effective attack vector since most individuals don’t monitor their domain registrant accounts regularly,” Biasini wrote in a blog post.

“This behavior has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses. Since this campaign has done an exceptional job of rotation not only the subdomains, but also the IP addresses associated with the campaign.”

The threat is proving effective given GoDaddy’s dominance as a domain registrar. The service has registered nearly one-third of the domain names online, according to CSO, which wrote about domain shadowing on Wednesday.

The trend also highlights the effectiveness of the Angler exploit kit, a bundled set of malicious online tools that seeks out vulnerabilities in a variety of software.

In the GoDaddy scheme, attackers use false subdomains to direct users to websites hosting Angler, Biasini wrote. He described the kit as the “best … on the market.”