Compromised Website Update 5/20/10

An attack impacting less than 200 accounts happened this morning. Go Daddy is working with other top hosting providers and security experts to gather information to stop the criminals initiating these exploits.

We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.

As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

Thank you,
Todd Redfoot, Chief Information Security Officer

See below message for complete details on what is happening.

Compromised Website Update 5/15/10

You’re most likely aware of the recent wave of attacks that have been happening across multiple hosting providers. The total scope of the attack has been rather small, less than one tenth of one percent of all Go Daddy hosted websites, but there is a lot of discussion and misinformation going on about this issue, so I’d like to give you the complete story.

When we first we saw the attacks, the common denominator was WordPress sites – specifically those running older versions of the software.

The Go Daddy Security Operations Center reached out to WordPress and discussed the situation. Using the information we had at the time, Go Daddy and WordPress came to a conclusion the attack was affecting older versions of WordPress.

Using this information, we identified our customers using out of date WordPress installations and aggressively attempted to contact them, encouraging them to upgrade their software and avoid being impacted.

After more attacks, further evidence suggested the target was not WordPress.

This is a complex attack with many components. Here is a high-level overview of how they occur:

1) The attacker is coordinating attacks against three different hosting providers for this to work.

• At Hosting Provider ‘A’ – A malicious file is placed on hosting accounts at this provider. No two files have the same name.
• At Hosting Provider ‘B’ – A file is uploaded listing the infected domain names and unique file names from provider ‘A.’
• At Hosting Provider ‘C’ – A malicious “scareware” site is placed on compromised accounts

2) After the attackers put their files in place, they use Hosting Provider ‘B’ to trigger the malicious files on Hosting Provider ‘A.’ When triggered, the malicious file:

• Scans the hosting account for any php file
• Injects malicious content, installing malware that directs to Hosting Provider ‘C’
• Removes any trace of itself from ‘Hosting Provider B’

3) The attack is complete when an infected website receives a visitor. The visitor, if not adequately protected, will have malware installed on their machine.

4) The malware will alert the infected computer to purchase fake anti-virus software, located at Hosting Provider ‘C.’

Go Daddy and many other hosting and security companies are aware of this attack strategy. One point of the attack we are all working to stop is the malicious file from being placed on Hosting Provider ‘A.’

I’d like to provide some additional perspective to illustrate just how frustrating these attacks have become.

When a Go Daddy customer website is compromised, the individual can contact our 24×7 Customer Care and a ticket is opened to our security team. Our security team investigated more than 17,000 incidents last year and provided feedback to correct the issue. The compromises typically range from outdated software to weak passwords.

Go Daddy is experienced at deterring malicious attacks. In fact, on a daily basis, Go Daddy blocks over 100,000,000 attacks. On a weekly basis, we stop 6,000-10,000 DDoS attacks.

So when Go Daddy pools the resources from its Security Operations Center (SOC), Security Projects Engineering and Response (SPEAR) Team, Security Researchers and Penetration Testing teams – and still cannot get to the bottom of an issue – you can imagine the frustration.

In the meantime, here are the efforts our teams have taken:

1. Go Daddy regularly communicates with other hosting companies such as The Planet, HostGator, Dreamhost and MediaTemple. We are exchanging information and observations to help solve this problem for everyone.
2. Go Daddy is in communication with researchers from five of the largest security vendors. These discussions have brought new leads to the investigations. At this stage they are just theories, so I will refrain from elaborating.
3. Go Daddy contacts the registrars and hosting provider where the fake anti-virus sites are hosted (‘Hosting Provider C’), to have the sites shut down. While this is only a temporary solution, it prevents potential infections. When the malware is moved, Go Daddy repeats the process and contacts the newly affected registrar and hosting provider.
4. Go Daddy is expanding and tuning our security tools to help identify the attack vector.

While I know this is frustrating for customers, I wish to assure you we have people working 24×7 to identify and correct the issue.

We appreciate your patience and thank you for being a valued Go Daddy customer.

- Neil Warner, Go Daddy Chief Information Officer