GoDaddy unwittingly became a part of a bomb threat hoax that affected at least 78 domains

• The flaw in GoDaddy can let hijackers to affect many major internet service providers and is being actively abused for snowshoe spamming.
• More than 553,000 domains managed by GoDaddy are estimated to be vulnerable to hijack.

GoDaddy.com was found to have a serious flaw that allowed hackers to hijack at least 78 domains and create two disruptive spam email campaigns. The affected domains belonged to Expedia, Mozilla, Yelp and other legitimate people or organization.

In December 2018, an email threatening to blow up schools and buildings had triggered mass evacuations and lockdowns in the US and Canada. The scammers demanded $20,000 in ransom and used 78 domains to send the threatening emails.

Krebs on Security said the scams, a bomb threat hoax and a sextortion email campaign from 2018, were made possible by abusing the flaw in GoDaddy. The vulnerability was discovered by an independent researcher Ronald Guilmette and it allowed any user to add a domain to their account without any verification.

Experts warn that the same flaw can let hijackers affect many major internet service providers and that it is being actively abused for snowshoe spamming - launching phishing and malware attacks via reputable domains. The technique gets its name because, like a snowshoe, it distributes the heavy load evenly across a wide area.

Spammy Bear held responsible for the attacks

Guilmette has held ‘Spammy Bear’ cybercrime group or person for this attack. This is because a majority of the hijacked domains used in the spam campaigns tracked back to the Internet addresses in Russia.

Gulimette’s further investigation revealed that the Spammy Bear has commandeered almost 4,000 domains belonging to about 600 people or organizations.

The list of registered domain holders includes Facebook, MasterCard International, Hilton International, ING Bank, Dignity Health, the Church of Scientology, Warner Entertainment, Massachusetts Institute of Technology and more.

A thorough investigation of these scams found that virtually all of the affected domains received domain-resolution service from GoDaddy.com before they were hijacked. More than 553,000 domains managed by GoDaddy are estimated to be vulnerable to hijacking attacks.