Home / Blogs

Phishers Now Targeting Domain Registrars

This is an issue of some concern and should be watched carefully: phishers are now trying to get passwords of domain registrants (domain owners). Currently, correspondents inform me that GoDaddy is the target, but there’s no reason to think the phishers won’t expand to other registrars.

Normally, phishers go after bank accounts or other financial information, or sometimes the online accounts of users so that they may send spam.

It’s not known precisely why phishers are after domain registration information, but the possibilities are chilling. The most obvious danger is that the phishers might be trying to simply steal domains—recall the sex.com and register.com fiascoes.

One worst-case scenario which has been suggested is this: If a phisher were to successfully hijack the domain registration of a bank or credit union, they could surreptitiously redirect the domain name to their own servers and conduct a man-in-the-middle attack without the bank even realizing it’s happening.

Dear GoDaddy Customer,

GoDaddy Customer Support Team requests you to complete GoDaddy Customer Online Form.

This procedure is obligatory for all customers of GoDaddy.

Please click hyperlink below to access GoDaddy Customer Online Form.

http://myaccount.session-47175729.godaddy.com/AccountConfirmation/account.aspx

Please do not respond to this email.

This mail generated by an automated service.

Copyright © 1999 - 2007 GoDaddy.com, Inc. All rights reserved.

Of course, the link provided actually goes to the phishing site, not to GoDaddy.

By Edward Falk, Computer professional

Filed Under

Comments

The Famous Brett Watson  –  Aug 8, 2007 3:15 AM

Could it be that the target of the phishing here is not so much the domain name as access to the hosting facilities which GoDaddy also offers? The ability to construct websites under subdomains of existing domains would be quite useful from the perspective of the generic cybercriminal. After all, they aren’t in the business of building brand recognition—they are in the business of churning through identities quite rapidly.

Suresh Ramasubramanian  –  Aug 8, 2007 6:38 AM

There is a lot of “take” in a registry + hosting facility that a phisher will find attractive, besides the scenarios you and Ed mentioned.

1. Access to the user’s ID / name / address / CC etc stored in his whois profile.

2. Ability to sign up scam domains using the stolen accounts. If they signup several dozen domains using stolen cards, and use a single account to do it, the registrar can easily take them down.

3. How many people (e&oe domainers) check their accounts with a registrar carefully, every day?  As compared to checking, say, their gmail or ebay accounts?

srs

Robert Cannon  –  Aug 8, 2007 6:41 PM

There is a lot of energy behind DNSSEC for this purpose.  DNSSEC digitally signs and locks DNS records in order to secure the database.  There are many reasons for doing this, one of which is to thwart the man-in-the-middle attack.  Without the proper keys, altered DNS records will not verify and will not therefore resolve.  Alternatively, DNSSEC creates a single point of failure in an otherwise disaggregated system - the crypto key.  If the key for signing the DNS root gets compromised, first the database is now exposed and second the root must now engaged in a key roll-over (replace the old compromised key with a new key) which apparently quite hard.  Many are experimenting with DNSSEC but it is not without its doubters.  http://www.cybertelecom.org/dns/security.htm

The Famous Brett Watson  –  Aug 9, 2007 12:54 AM

DNSSEC protects against unauthorised changes to DNS records. If you’ve been phished, the attacker has your authentication credentials, and DNSSEC won’t help you.

Dave Zan  –  Aug 9, 2007 8:21 AM

So Go Daddy has to worry about potential customers complaining of their searched domain names being swiped, their clients’ domain names being hijacked, and now this. That’s one price to pay for being arguably the most popular. :P

I’ve since read of people who have forwarded that same email to Go Daddy. I’ve yet to see any response from them as of this post, although I’m sure they’re on top of it.

Suresh Ramasubramanian  –  Aug 9, 2007 11:12 AM

I’ve since read of people who have forwarded that same email to Go Daddy. I’ve yet to see any response from them as of this post, although I’m sure they’re on top of it.

Godaddy is part of the anti phishing working group (http://www.apwg.org) - so I am reasonably sure they have access to some good sound anti phishing best practices.

As do most of the other phish victims out there.

That doesnt stop phishers from targeting them.
And that doesnt stop ignoramuses from falling for phishes.

That’s about all they can do to “be on top of it”.. except possibly for something like “we wont ever send you email, any communication with us will be through our website” like several banks do.

Jack Durban  –  Nov 10, 2007 2:47 AM

Godaddy just gave away one of our most valuable domains. We can’t figure out how they did it but godaddy is complicit in their failure to provide a simple verification email to us to confirm or deny the transfer. It was quite simple for the thief but not so easy to get it back. It will cost us thousands to get it back. Godaddy basically told us to go pound sand. To get this back we have to file a cease and desist letter through an attorney. Then after a predetermined period of time if the crook fails to comply then we have to file a formal action with ICANN or better put “ICANNT” and give them $1,500.00 to impanel a board of arbitrators!

Total bill with all legal fees could reach several thousand dollars.

I got hosed by godaddy and Bob Parsons didn’t even send me flowers.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign