Why can't they ever give clear information.
Strictly, a million employees is a limited number too, as is the total number of all their support staff.
Miscreants were able to hijack traffic and email destined for various cryptocurrency-related websites this month – by hoodwinking GoDaddy employees. Using social engineering tricks, the hackers were able to change the DNS settings of their victims' domain names, redirecting connections and mail to their own servers. GoDaddy, …
I think "a limited number..." (of users, accounts, services...) has now joined "...to be regretted...", "security is our top priority", "your call is important to us", and "to improve our service..." (we're raising prices/cutting service/both) in the grim lexicon of 21st century weasel-speak.
I'm sure I missed many others, but TBF my blood-pressure was dangerously elevated just by typing those ones.
But how did the crims get the GoDaddy account security access codes, and if they didn't why did the account reps allow changes without it? GoDaddy gives a 4 digit account verification code to users; if the crims had them, then there was no social engineering necessary.
If the crims didn't have them them the account reps should never have proceeded with the call. Period.
So the "social engineering" sounds like "We completely failed to follow set protocols, allowed access to something that had 2FA protection without confirmation, and went ahead and made the changes anyway".
"We completely failed to follow set protocols”
The shitshow doesn't stop there
Example: The other day, I was able to reset a users iCloud password by simply knowing the iPhone passcode. The same stupid idiots who think showing message content on a locked screen by default is a smart move
The GoDaddy member of staff in question, let me guess, underpaid, understaffed and under appreciated
They show how perfect vigilance is impossible, and that the limitations of the mechanism supporting the human mind (i.e. the body, particularly the CNS, and the information flows available to it) mean that various optimizations have to be applied, resulting in numerous failure modes. Many of those are well-documented by methodologically-sound psychological research. Those who think they're immune are, of course, deceiving themselves.
Compressing that to "humanity is stupid" is acceptable as a first approximation.
Maybe I'm wrong. I always thought that Go Daddy were the outfit for amateur web sites, families, hobbyists and very small local businesses etc.
They're who you go to when you want to play around with building a little web site to show off your home made pottery, flower arranging or stamp collection. Or maybe to sell your hand crafted rings and necklaces to people who couldn't get to your market stall in the Jewellery Quarter. That sort of thing.
> They're always sophisticated, these attacks. They're never the result of clicking a dodgy link, or inadvertently letting slip that you use your dog's name as a password.
Of course not. Those techniques you mention are strictly reserved for secret EU defence meetings¹.
¹ Conducted via made in China software tool Zoom, for good effect.
Also the term "Social engineering" is a brilliant spin.
It was not the management focused on giving themselves pay raises, instead of paying attention that priority is given to security and up to date systems, no it were those dumb grunts who were "social engineered".
From now on it can be expected that 99% of the hacks that can't be swiped under the carpet, will be caused by social engineering.
they're not cheap. They're CHEAP CLICK HERE! cheap. Or rather: pay cheap now, and we'll bleed you for years, hiking up prices because you're a too lazy to switch. That kind of cheap. But hey, that's in line with general business model of the internets, no?
I lost access to my DNS records that were hosted by GoDaddy.
Reason was because they’d deprecated their vanity nameserver service and as such their DNS web management no longer recognised my name server addresses as being one of their DNS servers. Even though they resolved to GoDaddy IP’s, which then reverse resolved to GoDaddy nameserver names.
Support and supervisor insisted that they were not hosting my DNS records (when in fact they were!) and that they could not help me any further. And even offered to send me a basic primer on how the Internet works! Never mind that I've worked as a network engineer, starting with a ISP going back to 1991!
In the end, I moved all of my domains and those I was responsible for, away from GoDaddy. If their support staff are so inept as to not be able to recognise that they are even providing you a service and they actively refuse to escalate to someone competent, your service is at great risk.
They should not be in business.
Sounds like they are quicker at turning over a domain to scammers than at allowing the legit owner to take it to another service. At least I had the presence of mind to make sure my off-GoDaddy backups of all my content were in order before asking about the process. I could imagine that letting them know I was planning on leaving would result in "For security, we have rate-limited FTP service to 110 bits/second."
As I've mentioned before, I did eventually get things straightened out, but still get regular notifications that my account (dead for over a decade) is locked because the credit card number for auto-renew has expired. Muppets or Evil Geniuses? You Decide!
Just Say NoDaddy
Suggests that the attackers found a flaw in Godaddy's procedures they were able to exploit rather than an actual problem with gullible staff. And since the poor peons who work in such places are aggressively required to follow the procedures to the letter rather than apply any knowledge or thinking to the task, once the bad guys had found a procedure to abuse they would be able to run through with hobnail boots on.