Explained | The multi-year attack on GoDaddy servers and its impact  

GoDaddy is one of the largest domain registrar and web hosting platforms.
| Photo Credit: Special Arrangement

The story so far: On 16 February, an unauthorised third-party gained access to GoDaddy servers in its cPanel shared hosting environment, the company shared in a blog post. Attackers installed malware on servers causing intermittent redirection of customer websites to malicious sites leading to increased chances of successful phishing campaigns. Attackers also obtained pieces of code related to some services used by the company.

What does GoDaddy do?

GoDaddy is one of the largest domain registrar and web hosting platforms. The company offers services like eCommerce solutions, SSL certificates, professional business emails, web servers, and website builders. Its WordPress shared hosting services allow users to manage and build websites using plug-ins and themes. GoDaddy currently has 1.5 million paying customers with $4 billion in revenues, according to its latest SEC filing.

How did the attack happen?

The attack on its servers in December 2022 granted threat actors access to the company’s shared servers. Cybercriminals obtained pieces of code related to some services within GoDaddy and installed malware that intermittently redirected random customer websites to malicious sites. The company shared that the redirects were happening on seemingly random websites hosted on its cPanel shared hosting servers and were not easily reproducible by GoDaddy, even on the same website. A cPanel is an online Linux-based graphical interface (GUI) used as a control panel to simplify website and server management for website owners and developers. These redirects could be used by threat actors to run successful phishing campaigns on the websites of GoDaddy users.

(For top technology news of the day, subscribe  to our tech newsletter Today’s Cache)

What are redirects, and how do they work?

Redirect, redirecting, or URL forwarding is a method used to ensure that web pages with more than one URL can be accessed by users who do not have the precise, or all the existing, URLs.

Redirects are predominantly used when a site is shifted to a new domain when multiple URLs are available for the same webpage. Or, when two or more websites are merged, and when a web page is removed and users are sent to a new page to ensure continued services.

Setting up a server-side redirect, the kind used by threat actors in the attack on GoDaddy servers requires access to server configuration files or setting the redirect headers with server-side scripts.

End-users are mostly unaware when they are being redirected to a new web page unless the web browser they use notifies them. However, redirects can be used by threat actors to get unsuspecting users to visit, interact and share information on malicious web pages.

What is the timeline of the cyberattack?

The attack on GoDaddy servers was reported on 16 February 2023. It was first discovered in December 2022 after the company investigated customer complaints about their sites being used to redirect to random domains. In November 2021 an attack was initiated using a compromised password, through which an unauthorised third party accessed the provisioning system in the company’s legacy code which at the time impacted 1.2 million active and inactive MWp (Managed WordPress) customers across GoDaddy brands.

Earlier in March 2020, a threat actor compromised the hosting login credentials of approximately 28,000 hosting users on GoDaddy. The company, in its SEC filings, said it believed the attacks between 2020 and 2022 were carried out by the same threat actor group. And the cyberattack in December 2022, which led to shared servers being affected was part of the multi-year attack.

In April 2022, Cybernews reported hundreds of compromised WordPress sites running malicious phishing adverts, with GoDaddy being hit the most with 42 infected websites.

What does this mean for GoDaddy?

After the December 2022 attack, GoDaddy said it was working with multiple law enforcement agencies and forensic experts around the world to investigate the attacks and help stop future attacks. The company also said it believed the incident was part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on its systems and obtained pieces of code related to some services within its platform.

Law enforcement confirmed evidence which pointed that the incident was carried out by a sophisticated and organised group targeting hosting services with the intention of infecting websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities, the company shared.

The company further shared that it is monitoring the behaviour of threat actors and working on blocking further attempts from the threat group.

What was the impact of the attack?

“To date, these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business or operations”, GoDaddy shared in its SEC filings.

However, the impact of phishing campaigns carried out by threat actors by intermittently redirecting customers’ websites is yet to be ascertained.

Also, since cyber threats are constantly evolving, increasing the difficulty of detecting and successfully defending against them, GoDaddy believes future incidents may increase the risk of higher sanctions, or investigations into past incidents.

And since GoDaddy’s business involves the storage and transmission of confidential information, including personal information and payment card information they could be subject to liability, loss of business, litigation, government investigations, or other losses in case of a breach of sensitive data.