GoDaddy weakness let bomb threat scammers hijack thousands of big-name domains

Revealed: how domains owned by Expedia, Mozilla and Yelp sent bomb hoaxes

(credit: Alejandro Mejía Greene (flickr user: ·júbilo·haku·))

Remember the December 13 email blast that threatened to blow up buildings and schools unless recipients paid a $20,000 ransom? It triggered mass evacuations, closures, and lockdowns in the US, Canada, and elsewhere around the world.

An investigation shows the spam run worked by abusing a weakness at GoDaddy that allowed the scammers to hijack at least 78 domains belonging to Expedia, Mozilla, Yelp and other legitimate people or organizations. The same exploit allowed the scammers to hijack thousands of other domains belonging to a long list of other well-known organizations for use in other malicious email campaigns. Some of those other campaigns likely included ones that threatened to publish embarrassing sex videos unless targets paid ransoms.

Distributing the malicious emails across such a broad swath of reputable domains belonging to well-recognized organizations was a major coup. The technique, known as snowshoe spamming, drastically increased the chances the emails would be delivered because it weakened the reputation metrics spam filters rely on. Rather than appearing as fringe content sent by one or a handful of sketchy domains, the snowshoe technique gave the emails an air of legitimacy and normalcy. The technique gets it name because, like snowshoes, it distributes the heavy load evenly across a wide area.

Read 18 remaining paragraphs | Comments

Far-right social network Gab goes offline after GoDaddy tells it to find another domain registrar

Gab, the far-right social network that the suspect in Saturday’s mass shooting at Pittsburgh synagogue used to share anti-Semitic posts, has gone offline after GoDaddy gave it 24 hours to find a new domain provider. GoDaddy’s decision comes after PayPal, Medium, Stripe, and Joyent banned Gab’s accounts over the weekend. Bowers may face the death penalty […]

Gab, the far-right social network that the suspect in Saturday’s mass shooting at Pittsburgh synagogue used to share anti-Semitic posts, has gone offline after GoDaddy gave it 24 hours to find a new domain provider. GoDaddy’s decision comes after PayPal, Medium, Stripe, and Joyent banned Gab’s accounts over the weekend.

Bowers may face the death penalty after being charged with 11 counts of murder and multiple hate crimes in connection to the attack on the Tree of Life synagogue in Pittsburgh, which the Anti-Defamation League said it believes is the deadliest against the Jewish community in U.S. history.

On his Gab profile, Bowers had written “jews are the children of satan” in his biography and repeatedly shared anti-Semitic content and other hate speech. Shortly before the shooting, Bowers allegedly wrote “HIAS [an organization that aids Jewish refugees] likes to bring invaders in that kill our people. I can’t sit by and watch my people get slaughtered. Screw your optics, I’m going in.”

In an emailed statement, a GoDaddy spokesperson said Gab was told to move after breaking the domain registrar’s rules against violent content:

“We have informed Gab.com that they have 24 hours to move the domain to another registrar, as they have violated our terms of service. In response to complaints received over the weekend, GoDaddy investigated and discovered numerous instances of content on the site that both promotes and encourages violence against people.”

Gab now displays a message claiming it “is under attack” and has been “systematically no-platformed by App Stores, multiple hosting providers, and several payment processors.”

This is not the first time Gab has run afoul of its online service providers. Last year, Gab was banned from the Apple app store and Google Play for content violations. In August, Microsoft threatened to boot it from Azure web services if two anti-Semitic posts were not removed (the posts were taken down and Microsoft continued serving Gab).

After being suspended by Joyent, Gab said through its Twitter account that it would “likely be down for weeks,” but later tweeted that it would “be back soon.”

GoDaddy also stopped providing domain services to white supremacist site Daily Stormer in August 2017 after it posted an obscene article about Heather Heyer, who was killed while protesting last year’s Unite the Right rally in Charlottesville, Virginia.

New ‘Dark Ads’ pro-Brexit Facebook campaign may have reached over 10M people, say researchers

A major new campaign of disinformation around Brexit, designed to stir up U.K. ‘Leave’ voters, and distributed via Facebook, may have reached over 10 million people in the U.K., according to new research. The source of the campaign is so far unknown, and will be embarrassing to Facebook, which only this week claimed it was […]

A major new campaign of disinformation around Brexit, designed to stir up U.K. ‘Leave’ voters, and distributed via Facebook, may have reached over 10 million people in the U.K., according to new research. The source of the campaign is so far unknown, and will be embarrassing to Facebook, which only this week claimed it was clamping down on “dark” political advertising on its platform.

Researchers for the U.K.-based digital agency 89up allege that Mainstream Network — which looks and reads like a “mainstream” news site but which has no contact details or reporter bylines — is serving hyper-targeted Facebook advertisements aimed at exhorting people in Leave-voting U.K. constituencies to tell their MP to “chuck Chequers.” Chequers is the name given to the U.K. Prime Ministers’s proposed deal with the EU regarding the U.K.’s departure from the EU next year.

89up says it estimates that Mainstream Network, which routinely puts out pro-Brexit “news,” could have spent more than £250,000 on pro-Brexit or anti-Chequers advertising on Facebook in less than a year. The agency calculates that with that level of advertising, the messaging would have been seen by 11 million people. TechCrunch has independently confirmed that Mainstream Network’s domain name was registered in November last year, and began publishing in February of this year.

In evidence given to Parliament’s Digital, Culture, Media and Sport Select Committee today, 89up says the website was running dozens of adverts targeted at Facebook users in specific constituencies, suggesting users “Click to tell your local MP to bin Chequers,” along with an image from the constituency, and an email function to drive people to send their MP an anti-Chequers message. This email function carbon-copied an info@mainstreamnetwork.co.uk email address. This would be a breach of the U.K.’s data protection rules, as the website is not listed as a data controller, says 89up.

The news comes a day after Facebook announced a new clampdown on political advertisement on its platform, and will put further pressure on the social media giant to look again at how it deals with the so-called “dark advertising” its Custom Audiences campaign tools are often accused of spreading.

89up claims Mainstream Network website could be in breach of new GDPR rules because, while collecting users’ data, it does not have a published privacy policy, or contain any contact information whatsoever on the site or the campaigns it runs on Facebook.

The agency says that once users are taken to the respective localized landing pages from ads, they are asked to email their MP. When a user does this, its default email client opens up an email and puts its own email in the BCC field (see below). It is possible, therefore, that the user’s email address is being stored and later used for marketing purposes by Mainstream Network.

TechCrunch has reached out to Mainstream Network for comment on Twitter and email. A WhoIs look-up revealed no information about the owner of the site.

TechCrunch’s own research into the domain reveals that the domain owner has made every possible attempt to remain anonymous. Even before GDPR came in, the domain owners had paid to hide its ownership on GoDaddy, where it is registered. The site is using standard GoDaddy shared hosting to blend in with 400+ websites using the same IP address.

Commenting, Damian Collins MP, the Chair of the Digital, Culture, Media and Sport Committee of the U.K. House of Commons, said: “We do not know who is funding the Mainstream Network, or who is behind its operations, but we can see that they are directing a large scale advertising campaign on Facebook designed to get people to lobby their MP to oppose the Prime Ministers’s Brexit strategy. I have been sent a series of emails from constituents as a result of these adverts, in a deliberate attempt to alter the outcome of the Brexit negotiations.”

“The issue for parliamentarians is we have no idea who is targeting whom via political advertising on Facebook, who is paying for it, and what the purpose of that communication is. Facebook claimed this week that it was working to make political advertising on their platform more transparent, but once again we see potentially hundreds of thousands of pounds being spent to influence the political process and no one knows who is behind this.”

Mike Harris, CEO of 89up said: “A day after Facebook announced it will no longer be taking ‘dark ads’, we see once again evidence of the huge problem the platform is yet to face up to. Facebook has known since the EU referendum that highly targeted political advertising was being placed on its platform by anonymous groups, yet has failed to do anything about it. We have found evidence of yet another anonymous pro-Brexit campaign placing potentially a quarter of a million pounds worth of advertising, without anyone knowing or being able to find out who they are.”

Josh Feldberg, 89up researcher, said: “We have no idea who is funding this campaign. Only Facebook do. For all we know this could be funded by thousands of pounds of foreign money. This case just goes to show that despite Facebook’s claims they’re fighting fake news, anonymous groups are still out there trying to manipulate MPs and public opinion using the platform. It is possible there has been unlawful data collection. Facebook must tell the public who is behind this group.”

TechCrunch has reached out to both Facebook and Mainstream Network for comment prior to publication and will update this post if either respond to the allegations.