GoDaddy Refund Email Phishing

Being a widely popular web hosting provider, GoDaddy obviously has a line of different options for money chargebacks. Some people are not happy with how the service works, some people want to cancel the domain parking or hosting due to personal reasons – refund emails are typical for such requests. This is where hackers decided to take inspiration from.

Random users started receiving emails with the topic set as “GoDaddy Refund”. It touched even ones who have never ever interacted with the company and its services. There were no reported cases of using compromised emails that belong to GoDaddy. These emails contain a pretty standard notification about the incoming refund and the link to a page “where you can get the refund details”. Obviously, even when a person is new to GoDaddy, they will most likely be eager to check it up. This link leads to a page that, once again, repeats a genuine one used by the company to share documents.

The page, however, does not start a direct download, and instead redirects the victim to a Discord URL, where the .zip archive is downloaded. This archive contains an .lnk file, disguised as a PDF document, which launches the PowerShell script. The latter initiates downloading and running the Invicta stealer.

Invicta Stealer Description

Invicta is a pretty unique example of an infostealer. By default, it is free and open-source, meaning that its source code is available to the public on GitHub. Another malware with similar philosophy is HiddenTear ransomware – one in its kind as well. Though in the Telegram group where the stealer developers are promoting their stealer, there are the offers to purchase the web panel access for $50.

However, other details of Invicta are way less unusual. Same as other modern-time stealers, it applies several anti-analysis and anti-detection tricks upon execution. Then, it routinely starts with grabbing Discord and Steam session tokens and crypto wallets information. The latter is collected only from desktop apps, while most of other stealers will also aim at browser extensions as well. Browsers are treated separately: malware takes every piece of a file that can contain valuable information. It also can target the KeyPass password manager app – less common, but still expected capability.

Targeted browsers and cryptowallets

Aside from passwords and session tokens, Invicta stealer gathers some trivial information regarding the system. It is a system screen size, CPU count, OS version and build, HWID, time zone and username. Malware can also gather other data when receiving a corresponding command – for example, enumerate users and installed programs. That data is commonly used to fingerprint the system, but can also be useful to emulate the victim’s system for more precise session hijacks.

How to protect yourself?

Here, two vectors of protection may be applied. First is proactive – the counteraction to email spam and phishing pages on the Web. Another one is rather a second line of defence – the one which protects against the spyware/stealer payload.

Pay attention to emails you’re opening. Most of the time, they are harmless – but that is what hackers want you to think. If you’ve received an email which you do not expect to receive, or its contents are not typical to what the sender typically sends, it is better to perform a diligent checkup. Most of the time, you will find differences in the sender’s email address, and, in some cases, typos or mistakes in the message body. Though, in rare cases of business email compromise, it may be hard to say whether the sender is legit or not. For that reason, relying entirely on your attention is not a guarantee.

Use anti-malware software with network monitoring. Here, anti-malware programs will act as both reactive and proactive solutions. Having a netmonitor makes it useful for preventing you from accessing phishing pages. Meanwhile, when malware manages to arrive at your device, it will still be blocked, especially when the program has a well-designed proactive protection system. GridinSoft Anti-Malware is the one you may rely on – consider giving it a try.

The post GoDaddy Refund Phishing Emails Spread Infostealer appeared first on Gridinsoft Blog.

One of the world’s largest hosters and domain name registrars, GoDaddy, reports that hackers have compromised the company’s infrastructure. Worse, the company concluded that this was just one in a series of related incidents. It turns out that unknown attackers had access to the company’s systems for several years, were able to install malware on its servers, and stole the source code.

Let me remind you that we also reported that the Epik hoster hack affected 15 million users, not just the company’s clients, and also that Fosshost, an Open-Source Project Hosting, Is Closing Down as Its Leader Disappeared.

According to a report filed by the company with the U.S. Securities and Exchange Commission, the security breach was discovered in December 2022, when customers began reporting that their sites were being used to redirect visitors to random domains. After conducting an investigation, GoDaddy experts came to disappointing conclusions:

It turned out that in December 2022, an attacker gained access to cPanel hosting servers, which customers use to manage sites hosted by GoDaddy. Then the hackers installed some kind of malware on the servers, and the malware “periodically redirected random client sites to malicious ones.”

In addition, incidents dated November 2021 and March 2020 are also reported to have been linked to these attackers.

Let me remind you that in 2021 it became known about the strange compromise of 1.2 million sites running on WordPress. All affected resources were hosted by GoDaddy, and then the company claimed that there was a hack and data leakage: the attackers gained access to the email addresses of all affected clients, their WordPress administrator passwords, sFTP and database credentials, and private SSL keys.

In 2020, GoDaddy notified 28,000 customers that in October 2019, attackers used their credentials to log into a hosting account and connect to their account via SSH.

Now, GoDaddy says it has found additional evidence linking these attackers to a larger malware campaign that has been going on for years against other hosting companies around the world.

GoDaddy is known to have engaged third-party security experts in the ongoing investigation and is also working with law enforcement around the world to uncover the source of these years-long attacks.

The post Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years appeared first on Gridinsoft Blog.