|
This is an issue of some concern and should be watched carefully: phishers are now trying to get passwords of domain registrants (domain owners). Currently, correspondents inform me that GoDaddy is the target, but there’s no reason to think the phishers won’t expand to other registrars.
Normally, phishers go after bank accounts or other financial information, or sometimes the online accounts of users so that they may send spam.
It’s not known precisely why phishers are after domain registration information, but the possibilities are chilling. The most obvious danger is that the phishers might be trying to simply steal domains—recall the sex.com and register.com fiascoes.
One worst-case scenario which has been suggested is this: If a phisher were to successfully hijack the domain registration of a bank or credit union, they could surreptitiously redirect the domain name to their own servers and conduct a man-in-the-middle attack without the bank even realizing it’s happening.
Dear GoDaddy Customer,
GoDaddy Customer Support Team requests you to complete GoDaddy Customer Online Form.
This procedure is obligatory for all customers of GoDaddy.
Please click hyperlink below to access GoDaddy Customer Online Form.
http://myaccount.session-47175729.godaddy.com/AccountConfirmation/account.aspx
Please do not respond to this email.
This mail generated by an automated service.
Copyright © 1999 - 2007 GoDaddy.com, Inc. All rights reserved.
Of course, the link provided actually goes to the phishing site, not to GoDaddy.
Sponsored byRadix
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Could it be that the target of the phishing here is not so much the domain name as access to the hosting facilities which GoDaddy also offers? The ability to construct websites under subdomains of existing domains would be quite useful from the perspective of the generic cybercriminal. After all, they aren’t in the business of building brand recognition—they are in the business of churning through identities quite rapidly.
There is a lot of “take” in a registry + hosting facility that a phisher will find attractive, besides the scenarios you and Ed mentioned.
1. Access to the user’s ID / name / address / CC etc stored in his whois profile.
2. Ability to sign up scam domains using the stolen accounts. If they signup several dozen domains using stolen cards, and use a single account to do it, the registrar can easily take them down.
3. How many people (e&oe domainers) check their accounts with a registrar carefully, every day? As compared to checking, say, their gmail or ebay accounts?
srs
There is a lot of energy behind DNSSEC for this purpose. DNSSEC digitally signs and locks DNS records in order to secure the database. There are many reasons for doing this, one of which is to thwart the man-in-the-middle attack. Without the proper keys, altered DNS records will not verify and will not therefore resolve. Alternatively, DNSSEC creates a single point of failure in an otherwise disaggregated system - the crypto key. If the key for signing the DNS root gets compromised, first the database is now exposed and second the root must now engaged in a key roll-over (replace the old compromised key with a new key) which apparently quite hard. Many are experimenting with DNSSEC but it is not without its doubters. http://www.cybertelecom.org/dns/security.htm
DNSSEC protects against unauthorised changes to DNS records. If you’ve been phished, the attacker has your authentication credentials, and DNSSEC won’t help you.
So Go Daddy has to worry about potential customers complaining of their searched domain names being swiped, their clients’ domain names being hijacked, and now this. That’s one price to pay for being arguably the most popular. :P
I’ve since read of people who have forwarded that same email to Go Daddy. I’ve yet to see any response from them as of this post, although I’m sure they’re on top of it.
Godaddy is part of the anti phishing working group (http://www.apwg.org) - so I am reasonably sure they have access to some good sound anti phishing best practices.
As do most of the other phish victims out there.
That doesnt stop phishers from targeting them.
And that doesnt stop ignoramuses from falling for phishes.
That’s about all they can do to “be on top of it”.. except possibly for something like “we wont ever send you email, any communication with us will be through our website” like several banks do.
Godaddy just gave away one of our most valuable domains. We can’t figure out how they did it but godaddy is complicit in their failure to provide a simple verification email to us to confirm or deny the transfer. It was quite simple for the thief but not so easy to get it back. It will cost us thousands to get it back. Godaddy basically told us to go pound sand. To get this back we have to file a cease and desist letter through an attorney. Then after a predetermined period of time if the crook fails to comply then we have to file a formal action with ICANN or better put “ICANNT” and give them $1,500.00 to impanel a board of arbitrators!
Total bill with all legal fees could reach several thousand dollars.
I got hosed by godaddy and Bob Parsons didn’t even send me flowers.