Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Internet

GoDaddy Accounts Vulnerable To Social Engineering (and Photoshop) 70

itwbennett writes: On Tuesday, Steve Ragan's GoDaddy account was compromised. He knew it was coming, but considering the layered account protections used by the world's largest domain registrar, he didn't think the attacker would be successful. He was wrong. Within days, the attacker gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID.
This discussion has been archived. No new comments can be posted.

GoDaddy Accounts Vulnerable To Social Engineering (and Photoshop)

Comments Filter:
  • Meh (Score:5, Insightful)

    by grimmjeeper ( 2301232 ) on Friday March 20, 2015 @05:01PM (#49305413) Homepage
    This is reason 363956 why you don't want to use GoDaddy to host your name or accounts.
    • So what's the alternative. I mean, not the alternative to godaddy, they're many, but how to prove yourself in case you forgot the password?
      • by CaTfiSh ( 724 )
        Something along the lines of PayPal, where they place a small random charge to your bank account, or credit card and have you recite the amount would be a start. The old InterNIC offered PGP verification.
        • by rthille ( 8526 )

          Notarized documents.

          • by allo ( 1728082 )

            Hard to do, because you usually do not need them to sign up. So what should they compare against.

            • by rthille ( 8526 )

              Well, if they are going to accept "documents" (scans, easily edited), as proof of something, then really they should only accept real, notarized paper versions.

  • by fuzzyfuzzyfungus ( 1223518 ) on Friday March 20, 2015 @05:03PM (#49305429) Journal
    I'm not sure I believe this story. GoDaddy doesn't offer customer support, so how could the social engineers have spoken to them?
    • by dissy ( 172727 )

      Wait a sec, you mean to say there isn't really a bunch of hot godaddy girls waiting on the edge of their seats just to talk to me??

      *dejected face*

      • by Anonymous Coward

        I know a few from the Iowa call center.

        • Danica, is that you?

          Stuff like this always reminds me of John Candy playing Tattoo from Fantasy Island, lying on a desk, rubbing his thighs with his hands say "Chicks, boss. Chicks!"

  • by Anonymous Coward

    Really? Never heard of Identity Theft. Anybody can do the same thing and walk out of a bank with all my money. Unless you are recommending some sort of National ID system hard coded to my DNA, then these type of "hacks" will always happen, or at least you will know its your twin who stole it.

    • Re:No Duh. (Score:5, Interesting)

      by david_thornley ( 598059 ) on Friday March 20, 2015 @05:36PM (#49305647)

      If somebody does that and removes money from your bank, the bank is going to have to show it was really you, or that there was sufficient authentication by a route you agreed to. A conversation with a bank employee and a photoshopped ID are not going to be considered sufficient authentication. If it turns out the bank was liable, it is going to have to restore the money, and it will be able to do so. Recovering the money fraudulently taken from the bank is, after that, the bank's problem.

      There have been cases where stolen domains (where the evidence is clear) are never returned. It seems to depend on the registrar, and that's a good reason not to use GoDaddy.

      • Okay. What registrar do you recommend using?

        • by rot26 ( 240034 )
          namecheap.

          Not affiliated, blah blah blah and so on and so on.
        • by Anonymous Coward

          namesilo [namesilo.com]

          I use them for about 10 domains.
          The price is right. They also include a ton of stuff for free, like whois privacy,
          I've configured it to email me every time there is any action with the account, even just a login kicks off an email immediately.

      • by AmiMoJo ( 196126 ) *

        I've used this technique before. A company needed a recent bank statement scanned to comply with money laundering rules or some rubbish. I don't have paper statements any more, and an electronic one wouldn't do. So I scanned an old one and shopped a recent date in.

  • by Dr_Barnowl ( 709838 ) on Friday March 20, 2015 @05:32PM (#49305623)

    ... is the name of a domain name I searched for on their site to see if they'd bite.

    A few years ago I thought I'd buy a domain for myself. Went and searched for it on their site. NEVER DO THIS.

    It wasn't taken.

    I ummed and aahed and slept on it.

    I came back. It was taken. By Domains By Proxy LLC. Who are owned by GoDaddy.

    It seems to have been sold on to another speculator, unless Afternic are them too. (I just checked. Afternic were bought out by GoDaddy in 2013).

    I own the .co.uk variant of it now. I used GANDI, who by all accounts, are not wankers.

    So, if you want a domain, be prepared to buy it on the spot if it's available. And use a registrar who aren't arseholes.

    • by cdrudge ( 68377 ) on Friday March 20, 2015 @05:55PM (#49305751) Homepage

      I don't know if Godaddy speculates under Domains By Proxy, but Domains By Proxy is what they also list any account that has enabled the "whois privacy" feature to mask their contact information. It's possible you were just a victim of bad luck.

      • by jonow ( 3524689 )
        I have encountered this same exact scenario multiple times. Go looking for domains, the next day they are all taken.
      • by Dr_Barnowl ( 709838 ) on Friday March 20, 2015 @06:13PM (#49305833)

        For a 2 word .com domain name that had been previously unregistered for 30 years? And was registered for the first time shortly after I fed it into a whois query box on their site?

        No. There's no coincidence there.

        • by rot26 ( 240034 )
          No, no coincidence. This has happened to me multiple time, though not with godaddy because I've never been tempted to use them. It's such a simple, obvious bit of asshattery that many registrars do this, although (excuse my lack of definitive information) I don't believe they actually register the domain name, there is some additional asshattery that allows them to tie the name up for a short period without actually having to pay money for it... which means that after a few days (???) it will become ava
          • by sribe ( 304414 ) on Friday March 20, 2015 @09:06PM (#49306591)

            ...there is some additional asshattery...

            There is some period for which they can register, then cancel, without paying fees upstream.

            • Why not just register everything? Keep a cycle of registrations and cancellations going so you can fuck everyone over by owning everything all the time?
              • by sribe ( 304414 )

                Why not just register everything?

                Combinatorial explosion. No way to register "everything"; no practical way to predict what will actually be requested.

                • This is the age of big data. Every combination of up to 10 letters and numbers is only 3 quadrillion records. I can't imagine that would be impossible for a motivated party. If you wanted to be a little more sensible, run those combinations through a dictionary and you easily knock a few orders of magnitude off the scale.
          • by v1 ( 525388 )

            there is some additional asshattery that allows them to tie the name up for a short period without actually having to pay money for it

            This was called "domain tasting" [wikipedia.org], and the guise it was made under was to "allow a customer to put up a web site under a new domain name to test it out and sample it to see if they wanted to purchase it". This is of course a silly concept, you don't need to have the domain name in its final form to decide whether or not your web page works. What it DOES do is encourage this

    • by jd2112 ( 1535857 )
      Perhaps a good way to get back at them is to write a script to constantly search for bogus domain names so that they keep buying them up.
    • I experienced the same with a Danish DNS company 15 years ago. I came up with a good name and short, never registered before. Filled out the form and paid with credit card, only to have it rejected the next day because it all of the sudden already was registered by the same registrar but to some odd company I could not find any information on.

    • by CaTfiSh ( 724 )
      This has been going on for a long time, and not just with GoDaddy. There was quite a bit written about it a number of years ago, which included ISPs selling lists of unresolved DNS queries. Thus, along with misspellings, people checking to see if a domain name was available were finding them quickly snatched up.
  • by Anonymous Coward

    Don't feed the huckster as I inadvertently did...

    On the 1st page, I was confused by the alleged victim writing his description of the attack in the wrong person... then on page 3 you learn that the so-called "attack" on which the article was based is actually a fake attack (by the author, looking to boost hid street 'cred' as a security guru?) on an account setup just to be attacked for this article.

    This sort of "story" is nothing but a dishonest ad, erroneously promoted on Slashdot.

    [ben stein voice]Editor

  • by Anonymous Coward

    I've noticed that a lot of companies demand a photo id to verify your identity when they have doubts. I refuse to ever do it for two reasons:

    (1) Its practically inviting identity theft. I mean W T F? How do I know some disgruntled employee isn't keeping a copy of every scanned ID that comes in and then selling the info on some darknet market?

    (2) Its totally forgeable. There is no way they verify that a scanned ID has not been photoshopped, all the anti-forgery stuff on them depends on it being the orig

  • Wow, guy who owns the account managed to get access... to his own account. Wow, what a great story, bro.

  • >"gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID."

    Are you sure it wasn't a "Gimped ID" or any number of other programs? Yeesh.

    Hint: "photoedited" ID.

    • Yes, they are sure.

      "This was probably overkill, but I’m a perfectionist when it comes to these things. The subtitles in the driver's license seal were no match for Photoshop's 'content aware and replace' feature. It wasn't perfect, so the majority of my time was spent pushing pixels until it looked right. A little blur and grain go a long way to making something look authentic," Mr. Troia said.

    • by kindbud ( 90044 )

      Well if you're going to cry about it, here's a kleenex. And to help make you feel better, please have some jello. If you don't get the joke, google it.

      Now if you'll excuse me, I have to xerox and fax my ID somewhere.

  • They should only accept orders as signed emails from a public key you provide on first registration.

  • by whoever57 ( 658626 ) on Friday March 20, 2015 @06:36PM (#49305931) Journal

    I recently transferred one domain (I plan to transfer the rest), but came across an interesting issue in the process. The domain used a proxy registration to hide my information (as recommened in TFA), but, in order to allow the transfer, I had to disable the proxy registration and make it public. Thus, for some time, my privacy protection was not effective. Now this wasn't a big deal for me, but it could be for others.

    Also, note that GoDaddy's domains by proxy makes the total cost of a private domain registration far higher than many other registrars.

    • by CaTfiSh ( 724 )
      For the benefit of anyone tired of paying to be cloaked, Google Domains offers privacy free of charge.
  • While it's cool to shit on GoDaddy here, it is not only that company that can fall to this type of an attack. They have to implement better security features themselves rather than just trying to sell their own version of 'security' to their customers (extra $$$ for preventing your name and email and whatever else, possibly address from being queried by whois).

    I think at the very bare minimum they can implement some sort of a secure word / pin / voice password and maybe a call back to a phone number as a s

  • NearlyFreeSpeech.net offers many TLDs (not all) for registration. If you use them for DNS, their config page isn't that great IMO (it's a bit slow and cumbersome), but I like just about everything else about them.

    Relevant to TFA: you can configure how many "recovery actions," between 2 and 7 (default: 3), which are required before you're granted access to lost account credentials. They also offer a "scorched earth" option: if you lose access to your account, it's gone forever (any associated services will p

Never test for an error condition you don't know how to handle. -- Steinbach

Working...