Over the last few days, website owners, specifically those hosting on GoDaddy, have been experiencing strange redirects to various websites. These redirects don’t happen all the time, but they seem to happen when a user first visits a page or refreshes it enough times to trigger it. I first stumbled upon this issue when visiting a website of a favorite restaurant of mine. Instead of seeing a page with pictures of food, menus, etc., I was presented with a . fake AV page How it works Like with other security issues I discover, I end up jumping down the rabbit hole to investigate what this is, how it works, and whether there is a way to avoid it. Unfortunately, for this incident, the best perspective I can give is as an outsider. A compromised GoDaddy website would make this investigation easier, but it isn’t impossible without it. At a high level, the sequence of events is as follows based on testing and other observations: 1. The user visits a compromised website hosted on GoDaddy. Like me, users could visit a local business’s website they are familiar with. 2. Initial redirect occurs Through some black box logic (usually for first-time visitors or by chance), GoDaddy servers send a to the user to redirect them to the attacker’s website. Every compromised website I’ve found redirects to . 302 46.4.68.136 Currently, there is speculation that GoDaddy’s load balancers are compromised. Specific requests will redirect you to the attacker’s page, but this occurs less often than expected. The cached versions of these compromised sites show a redirect in the HTTP response’s header. This header will cause the browser to redirect to the website specified in the variable. path Below are some examples. HTTP/1.1 302 Found
Date: Fri, 16 Dec 2022 22:23:24 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: b64618f79bd8f79428b7f1f80c1abceb=qtjmovs3948hi5t1m2shhambr4; path=/
Location: http://46.4.68.136/[REDACTED]?DOM=www.vocationalvisions.com&URI=%2findex.php
Connection: close
Vary: Accept-Encoding
Content-Type: text/HTML; charset=utf-8 HTTP/1.1 302 Found
Date: Sat, 17 Dec 2022 17:21:14 GMT
Server: Apache
X-Pingback: http://www.bookkeepingservicesclt.com/xmlrpc.php
Location: http://46.4.68.136/[REDACTED]?DOM=www.bookkeepingservicesclt.com&URI=%2findex.php
Connection: close
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8 HTTP/1.1 302 Found
Date: Fri, 16 Dec 2022 14:43:04 GMT
Server: Apache
Location: http://46.4.68.136/[REDACTED]?DOM=www.daria-snadowsky.com&URI=%2findex.php
Connection: close
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html; charset=UTF-8 HTTP/1.1 302 Found
Date: Tue, 13 Dec 2022 14:00:31 GMT
Server: Apache
X-Powered-By: PHP/5.6.40
Link: <http://saslist.com/wp-json/>; rel="https://api.w.org/"
Location: http://46.4.68.136/[REDACTED]?DOM=saslist.com&URI=%2findex.php
Connection: close
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8 HTTP/1.1 302 Found
Date: Wed, 14 Dec 2022 00:20:15 GMT
Server: Apache
X-Powered-By: PHP/5.6.40
X-Pingback: http://paypointeinc.com/xmlrpc.php
Location: http://46.4.68.136/[REDACTED]?DOM=paypointeinc.com&URI=%2findex.php
Connection: close
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8 These websites receive a response from an Apache-powered server and will redirect the user to the same malicious IP address -- whether they use WordPress or not doesn't play a factor. Every user that ends up being redirected to the attacker's host is then tagged with a cookie set from the response header. Every subsequent request on that host will also include that cookie to identify the victim. Set-Cookie: a8163=<JWT looking token> 3. The second redirect occurs Redirect takes the user to a specific page on the attacker's website. This page then runs JavaScript to redirect them to phishing or pornographic content. The basic structure of the page we see is as follows: <html>
        <head>
            <script type="application/javascript">
                function process() {
                   if (window.location !== window.parent.location ) {
                      top.location = "http://bad.website";
                   } else {
                      window.location = "http://bad.website";
                   }
                }
                window.onerror = process;
                process();</script>
        </head>
        <body>
            The Document has moved <a href="http://bad.website">here</a>
        </body>
        </html> Notably, you can find very similar snippets on Github. The redirect above isn't a new tactic used to redirect users. After this redirect, the user is at the attacker's final destination. About the attacker's site I've played around with the attacking site. Fun fact: the redirect page changes depending on your IP/location. The page would redirect me to the fake AV scanner if I were in North America. If I were in Europe, Asia, South America, etc., each would redirect me to different pages showing less-than-desirable content. Is this done intentionally to specialize attack payloads based on some level of effectiveness according to location, or is it just done randomly? Why this is serious In general, the attack is widespread, where we can find many compromised websites with a simple Google search of the attacking website's IP address. Many website owners are affected by this, as evinced by this support question. Notably, even this found its way to one of the links in the SvelteKit docs. Cloudflare issue It is not apparent that the attack impacts WordPress plugins, as demonstrated. Newly provisioned accounts are also affected even with no content uploaded to the website. @ColinQuarello From this, we can assume that this could be a system-wide issue for the hosting provider. 302 redirects are happening from your load balancers to spam/porn sites on the shared hosting infrastructure. I provisioned a new account and immediately got a 302 redirect when there was . Headers looked forged too. This is serious. @GoDaddyHelp @GoDaddy no content on the site — Colin Quarello (@ColinQuarello) December 19, 2022 Once a user is in the hands of the attacker by being on the attacker's website, they can succumb to social engineering, phishing, etc. alone cost companies and the general public billions per year. Phishing scams On the human side, this incident can lead to a loss in user trust not only for GoDaddy but also for small to medium-sized businesses that rely on the platform to host their company's website, e-commerce store, etc. These days, user trust is more important than ever to foster user growth and business expansion. According to a study done by , "84% of consumers would switch to a competitor if they lost trust in the enterprise". A single incident, let alone repeated occurrences, will degrade user trust faster than a business can regain it quickly. DigiCert Latest Developments As of 2022-12-20, GoDaddy is currently working on this incident (INC-5492776). I am unsure if this is an internal incident tracking number or something GoDaddy customers can access. We're aware of the issue and working to correct it now. I can assure you that our teams are diligently working to restore service as soon as possible. ^CG — GoDaddy Help (@GoDaddyHelp) December 20, 2022 Previously, it was suspected to be a firewall-related issue, but this has since been disproven. GoDaddy engineers and users have found this issue occurring regardless of firewall configurations. Thanks for reading! 💎 Thank you for taking the time to check out this post. For more content like this, head over to my actual . Feel free to reach out to me on and follow me on . blog LinkedIn Github

Too Long; Didn't Read

Questions about cloud security? Get answers here.

GoDaddy Hit with Widespread Redirect Hack

Too Long; Didn't Read

Stanley Lim

About Author

TOPICS

Languages

THIS ARTICLE WAS FEATURED IN...

GoDaddy Hit with Widespread Redirect Hack

Too Long; Didn't Read

Stanley Lim

About Author

TOPICS

Languages

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES