Earlier this month, Go Daddy confirmed that hundreds of its websites were compromised, resulting in visitors being redirected to a malicious site.
“Go Daddy’s Security Team detected that approximately 445 hosting accounts were compromised. The accounts were accessed by using the account holder’s username and password. Visitors who tried to enter these sites via certain search engines were redirected to a site attempting to install malware on their computer”, Todd Redfoot, chief information security officer at Go Daddy, told Domain Name Wire.
Percoco said that the most likely method used by the attacker to obtain the username and password was through a targeted phishing attack.
“It isn't too technically difficult to search for websites hosted at a specific provider, in this case Go Daddy, and obtain an email address of the points of contact of the owners of the various websites. Once that is obtained the attackers can send a phishing email prompting those users to login to their Go Daddy account to confirm or update some information. At that point the attackers would be able to intercept the username and passwords used to manage the sites that were compromised”, Percoco observed.
The attacker then injected a malicious code into the .htaccess file used for authentication by the Go Daddy hosted website. “Once a user visited the site, the code could be executed on the visitor’s local computer. In this case it seems the malicious code was used to redirect the visitor to other malicious websites”, Percoco explained.
While Go Daddy removed the malicious code from the websites, Percoco said that the attacker could have made other modifications to the websites “including modifying how the sites accept and process credit card or other payment data”.
Percoco cautioned that “this same technique could be used against any organization that has a website with a likely high success to failure ratio with minimal effort when applied across a large population, such as a hosting provider with hundreds of thousands of websites.”