Cyber Incident Victim: GoDaddy

On or around March 30, 2020, a spear-phishing attack compromised a customer service employee at GoDaddy, the world’s largest domain registrar. The phishing incident granted the attacker access to view and modify critical customer records within GoDaddy’s systems. This unauthorized access was exploited to alter domain settings for approximately six GoDaddy customers, including Escrow.com, a transaction brokering platform. The attacker modified Escrow.com’s domain configuration, leading to a defacement of its homepage. Starting around 5:00 p.m. Pacific Time on Monday, Escrow.com’s website displayed a plain-text crude message instead of its normal content for approximately two hours. DomainInvesting.com’s Elliot Silver observed the defacement and reported it. The incident did not involve a breach of Escrow.com’s internal systems, as confirmed by Matt Barrie, CEO of Freelancer.com, Escrow.com’s parent company.

Barrie stated that no Escrow.com customer data, funds, or domains were compromised during the incident. He indicated Escrow.com would release additional details in the following days but emphasized the integrity of their systems remained intact. KrebsOnSecurity contacted Barrie and Escrow.com for further clarification and separately reached out to SecurityTrails CEO Chris Ueland regarding the incident. The attack vector was confined to the compromise of GoDaddy’s customer service account, which enabled the attacker to manipulate domain records for targeted customers. The full scope of changes made to other affected GoDaddy customers beyond Escrow.com was not disclosed in the available reporting.