In recent news, GoDaddy, a leading web hosting company, revealed that a GoDaddy breach spanning multiple years had resulted in the theft of company source code, customer and employee login credentials, and the placement of malware on customer websites. While media outlets have understandably focused on the admission that GoDaddy was targeted by the same hacking group in three separate cyberattacks, it is important to revisit the group’s typical method of entry into targeted companies: social engineering tactics involving phone calls to employees and deception to lure them to phishing websites.
According to a Securities and Exchange Commission filing, GoDaddy’s Chief Information Security Officer Demetrius Comes reported that the company had detected unauthorized access to its systems, which hosts and manages its customers’ WordPress servers. WordPress is a widely-used web-based content management system for creating blogs or websites, and GoDaddy allows customers to host their own WordPress installations on their servers.
In a statement on Thursday, GoDaddy announced that it had detected malware on its network and disclosed that hackers had stolen portions of its code. The intrusion was brought to their attention in December 2022 when customers started reporting unusual website redirections, but GoDaddy has yet to confirm the exact number of customers affected. Law enforcement officials are now investigating the matter and have informed GoDaddy that the hackers’ objective is to spread malware on websites and servers for malicious purposes, including phishing campaigns and malware distribution.
However, the situation is even worse than it seems. GoDaddy also reported that it believes the same group of hackers that breached their network in March 2020 is responsible for this latest incident. In that previous attack, the hackers gained access to the login credentials of 28,000 customers and some of GoDaddy’s staff. Then in November 2021, the hackers used a stolen password to compromise 1.2 million customers’ WordPress instances, giving them access to email addresses, usernames, passwords, and, in some cases, the SSL private keys of their websites. GoDaddy’s internal investigation suggests that these attacks were part of a long-term campaign by a highly sophisticated threat actor group.