back to article Crooks social-engineer GoDaddy staff into handing over control of crypto-biz domain names

Miscreants were able to hijack traffic and email destined for various cryptocurrency-related websites this month – by hoodwinking GoDaddy employees. Using social engineering tricks, the hackers were able to change the DNS settings of their victims' domain names, redirecting connections and mail to their own servers. GoDaddy, …

  1. Dwarf

    Why can't they ever give clear information.

    Strictly, a million employees is a limited number too, as is the total number of all their support staff.

    1. David 132 Silver badge
      Flame

      Re: Why can't they ever give clear information.

      I think "a limited number..." (of users, accounts, services...) has now joined "...to be regretted...", "security is our top priority", "your call is important to us", and "to improve our service..." (we're raising prices/cutting service/both) in the grim lexicon of 21st century weasel-speak.

      I'm sure I missed many others, but TBF my blood-pressure was dangerously elevated just by typing those ones.

      1. upsidedowncreature

        Re: Why can't they ever give clear information.

        Because these communications are produced by communications professionals whose purpose is to convey as little information as possible while making sympathetic noises.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why can't they ever give clear information.

          Yeah but that doesn't mean El Reg or anyone else have to provide the quotes verbatim. They could just as easily paraphrase or remove the fluff so as to make them a little bit less infuriating to read.

    2. Michael Wojcik Silver badge

      Re: Why can't they ever give clear information.

      Hey, at least it wasn't an unlimited number of employees who were duped. "Unfortunately, all past, present, and future employees, actual and potential, have been or will be deceived by these attackers. Nothing we can do about it. Sadface."

  2. Anonymous Coward
    Alien

    I love social engineering stories because they show how stupid humanity is.

    1. Pascal Monett Silver badge

      I don't think we need more demonstrations of that. It's proven. We know.

    2. Hollerithevo

      Make it inclusive

      Even we blessed band of commentards here are just as likely to be socially engineered. The baddies just have to (1) use IT jargon and (2) flatter our intelligence.

    3. Snake Silver badge

      Security

      But how did the crims get the GoDaddy account security access codes, and if they didn't why did the account reps allow changes without it? GoDaddy gives a 4 digit account verification code to users; if the crims had them, then there was no social engineering necessary.

      If the crims didn't have them them the account reps should never have proceeded with the call. Period.

      So the "social engineering" sounds like "We completely failed to follow set protocols, allowed access to something that had 2FA protection without confirmation, and went ahead and made the changes anyway".

      1. FlamingDeath Silver badge

        Re: Security

        "We completely failed to follow set protocols”

        The shitshow doesn't stop there

        Example: The other day, I was able to reset a users iCloud password by simply knowing the iPhone passcode. The same stupid idiots who think showing message content on a locked screen by default is a smart move

        The GoDaddy member of staff in question, let me guess, underpaid, understaffed and under appreciated

      2. Solviva

        Re: Security

        "Ohh deary me, I mislaid my verification code when we had a small incident involving flames at the office, could you help pretty please?" Now, let me see what I can do to help you, valued customer....

    4. Michael Wojcik Silver badge

      They show how perfect vigilance is impossible, and that the limitations of the mechanism supporting the human mind (i.e. the body, particularly the CNS, and the information flows available to it) mean that various optimizations have to be applied, resulting in numerous failure modes. Many of those are well-documented by methodologically-sound psychological research. Those who think they're immune are, of course, deceiving themselves.

      Compressing that to "humanity is stupid" is acceptable as a first approximation.

  3. cd

    Goes to show how clueless the cryptocurrency folks are, using GoDaddy for anything. Would you buy a virtual coin from this man?

    1. Anonymous Coward
      Anonymous Coward

      Are you Dumb enough to even consider buying a virtual coin at all?

    2. Terry 6 Silver badge

      Maybe I'm wrong. I always thought that Go Daddy were the outfit for amateur web sites, families, hobbyists and very small local businesses etc.

      They're who you go to when you want to play around with building a little web site to show off your home made pottery, flower arranging or stamp collection. Or maybe to sell your hand crafted rings and necklaces to people who couldn't get to your market stall in the Jewellery Quarter. That sort of thing.

      1. Anonymous Coward
        Anonymous Coward

        That's what I thought as well, then I found our work domain is hosted by them as well.. oh wait..!

  4. upsidedowncreature

    Sophisticated...

    They're always sophisticated, these attacks. They're never the result of clicking a dodgy link, or inadvertently letting slip that you use your dog's name as a password. Damn sophisticated, these hackers.

    1. Doctor Syntax Silver badge

      Re: Sophisticated...

      All you need to remember is that "sophisticated" in this sense is relative. It tells you at least as much about the less sophisticated party in the incident as it does about the more sophisticated one.

    2. Nifty Silver badge

      Re: Sophisticated...

      Just like the cheque fraudsters of old then, staying in luxury hotels and buying from luxury stores becasue they 'looked and talked the part'. Plus ça change...

    3. Anonymous Coward
      Anonymous Coward

      Re: Sophisticated...

      > They're always sophisticated, these attacks. They're never the result of clicking a dodgy link, or inadvertently letting slip that you use your dog's name as a password.

      Of course not. Those techniques you mention are strictly reserved for secret EU defence meetings¹.

      ¹ Conducted via made in China software tool Zoom, for good effect.

  5. Winkypop Silver badge

    Same same

    “GoDaddy is committed to protecting our customers’ data and the security of our infrastructure, and our teams are vigilantly monitoring for attacks and potential vulnerabilities.“

    Yeah right.

    Except when they aren’t.

    1. Terry 6 Silver badge

      Re: Same same

      "committed to" means nothing.

      " vigilantly monitoring" means less than nothing.

      Hollow words having no substantive content.

    2. naive

      Re: Same same

      Also the term "Social engineering" is a brilliant spin.

      It was not the management focused on giving themselves pay raises, instead of paying attention that priority is given to security and up to date systems, no it were those dumb grunts who were "social engineered".

      From now on it can be expected that 99% of the hacks that can't be swiped under the carpet, will be caused by social engineering.

  6. Anonymous Coward
    Anonymous Coward

    Anyone else remember when changes to .com net org required a faxed form countersigned by a notary public confirming the identity of the person making the request?

    Those were the days...

  7. a_yank_lurker

    Security is a priority or a parody

    Other than cheap I have not heard much good about GoDaddy.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security is a priority or a parody

      they're not cheap. They're CHEAP CLICK HERE! cheap. Or rather: pay cheap now, and we'll bleed you for years, hiking up prices because you're a too lazy to switch. That kind of cheap. But hey, that's in line with general business model of the internets, no?

    2. DougMac

      Re: Security is a priority or a parody

      But GoDaddy isn't cheap. Mainly upper middle of the road.

      GoDaddy is a marketing company with a registrar/webhost bolted on the side.

      They make themselves look far far larger share of the market than they really have.

    3. Colin Bull 1
      FAIL

      Not so cheap

      A charity I was involved in signed up for Godaddy. They did not realise the package only came with one email address. Each additional email address costs more than I am paying for unlimited. All the committee members received everyone elses emails. What a shit show

  8. IGotOut Silver badge

    By a routine audit.....

    ... they mean "We checked twitter and noticed loads of complaints. More than normal, that is"

  9. Mr Dogshit

    It's always DNS

  10. SJP

    Not surprised

    I lost access to my DNS records that were hosted by GoDaddy.

    Reason was because they’d deprecated their vanity nameserver service and as such their DNS web management no longer recognised my name server addresses as being one of their DNS servers. Even though they resolved to GoDaddy IP’s, which then reverse resolved to GoDaddy nameserver names.

    Support and supervisor insisted that they were not hosting my DNS records (when in fact they were!) and that they could not help me any further. And even offered to send me a basic primer on how the Internet works! Never mind that I've worked as a network engineer, starting with a ISP going back to 1991!

    In the end, I moved all of my domains and those I was responsible for, away from GoDaddy. If their support staff are so inept as to not be able to recognise that they are even providing you a service and they actively refuse to escalate to someone competent, your service is at great risk.

    They should not be in business.

    1. Hollerithevo

      Re: Not surprised

      Yes, I too hauled stuff off them in the olden days. An enthusiastic sister-in-law who had bought vanity domains and built an unfortunate website and then realised she was swimming with inept sharks.

  11. Robert Grant

    Aren't GoDaddy the people you register a domain with before immediately transferring its management to Cloudflare?

    1. G2

      these days you can even leave them out of the loop and register domains directly through Cloudflare.

      https://www.cloudflare.com/en-gb/products/registrar/

      1. Robert Grant

        Ooh, I didn't know that.

  12. chivo243 Silver badge
    Holmes

    Weakest link in your box of Chocolates

    Gotta love them, humans that is... stupid is as stupid does. Coin flingers using Go-Daddy? Uh, thanks, but no.

  13. Anonymous Coward
    Anonymous Coward

    If they were cryptocurrency websites it seems like a fair bet that they were owned by crooks in the first place.

  14. fidodogbreath

    after "a limited number of GoDaddy employees" were duped

    I dented the fender on my car one time when "a limited number of drivers" bumped into a pole in a parking garage.

  15. Mike 16

    Varying speed

    Sounds like they are quicker at turning over a domain to scammers than at allowing the legit owner to take it to another service. At least I had the presence of mind to make sure my off-GoDaddy backups of all my content were in order before asking about the process. I could imagine that letting them know I was planning on leaving would result in "For security, we have rate-limited FTP service to 110 bits/second."

    As I've mentioned before, I did eventually get things straightened out, but still get regular notifications that my account (dead for over a decade) is locked because the credit card number for auto-renew has expired. Muppets or Evil Geniuses? You Decide!

    Just Say NoDaddy

  16. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    Godaddy and all should set 2FA for important domain settings, not just for logging in

  17. six_tymes

    "GoDaddy is committed to protecting our customers’ data and the security of our infrastructure, and our teams are vigilantly monitoring for attacks and potential vulnerabilities"

    Apparently NOT.

  18. JimC

    The fact that it was multiple employees

    Suggests that the attackers found a flaw in Godaddy's procedures they were able to exploit rather than an actual problem with gullible staff. And since the poor peons who work in such places are aggressively required to follow the procedures to the letter rather than apply any knowledge or thinking to the task, once the bad guys had found a procedure to abuse they would be able to run through with hobnail boots on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like