Phishing was the way attackers were able to get into the DNS records of Go Daddy hosted websites last week so that they could redirect victims to malicious sites hosting the Cool exploit kit and ultimately leading to ransomware.
It was unknown whether the DNS record hijacking was due to a security hole or stolen login credentials, but Scott Gerlach, Go Daddy’s Director of Information Security Operations, said it was because of a phishing expedition.
“Go Daddy has detected a very small number of accounts have malicious DNS entries placed on their domain names. We have been identifying affected customers and reversing the malicious entries as we find them. Also, we’re expiring the passwords of affected customers so the threat actors cannot continue to use the accounts to spread malware,” he said.
“We suspect that the affected customers have been phished or their home machines have been affected by Cool Exploit as we have confirmed that this is not a vulnerability in the My Account or DNS management systems.”
He advised customers located in the U.S. and Canada to enable two-step authentication to help protect their accounts and prevent this from happening to them. The rest of the customers will have to wait for the option to become available.