Websites hosted by GoDaddy have been distributing ransomware after a successful phishing attack resulted in a DNS hack, the company has admitted.
The company said only a "very small number" of accounts were affected and it was working to clean up the sites. Compromised accounts are also in the process of having their passwords reset, GoDaddy said in a statement sent to security firm Sophos, who first noticed the hack.
The DNS (Domain Name System) is what transfers hostnames into IP addresses, meaning computers can talk to each other and users can access them online.
According to Sophos, during this attack cyber criminals are using phished credentials to add additional subdomains corresponding to malicious IP addresses. As the end-user sees no difference, this method enables attackers to use legitimate-looking URLs. This method can often bypass security software, Sophos said, and the end-user is likely to assume the content is safe.
"Go Daddy has detected a very small number of accounts have malicious DNS entries placed on their domain names," the hosting company said in a statement. "We have been identifying affected customers and reversing the malicious entries as we find them. Also, we’re expiring the passwords of affected customers so the threat actors cannot continue to use the accounts to spread malware."
The company added that account holders should be using two-factor authentication where available.
It is the second issue to hit GoDaddy in the last few months. In September thousands of websites were knocked offline for around seven hours. A hacker claiming likes with Anonymous said he was behind the attack, but that was denied by the company. GoDaddy said the outage was caused by, "a series of internal network events that corrupted router data tables."