Hackers have altered DNS records of websites hosted by Go Daddy, with the aim of infecting visitors with ransomware. The attackers are adding subdomains to the DNS records, pointing to a malicious IP address under their control, allowing victims to believe they are going to the right website, and for the pages to avoid various security protection mechanisms. This attack comes two months after an alleged attack on the Go Daddy network.
The server being pointed to has what is known as the Cool Exploit Kit, which according to Sophos is malware installation that uses a number of different vulnerabilities, in an effort to infect the visiting computer. Once infected, users are presented with a payment page that displays region-specific content that makes the computer appear as if it’s been locked down by local law enforcement. The page uses a webcam that claims to record the user for identification purposes as well as a list of potential offenses that the user is said to have committed, and that if a fine is not paid within a certain timeframe, the computer would be locked down completely.
Affected webmasters are asked by Sophos to check their DNS records as soon as possible, and for visitors infected with the ransomware to consult someone that knows how to remove it from their system. Sophos has also contacted Go Daddy about the issue, and suggested to the company that it allow users to check the times account credentials have been used to access the control panel for a domain.
