Slashdot Mirror

← Back to Stories (view on slashdot.org)

GoDaddy Accounts Vulnerable To Social Engineering (and Photoshop)

Posted by Soulskill on from the only-as-strong-as-its-weakest-hyperlink dept.

itwbennett writes: On Tuesday, Steve Ragan's GoDaddy account was compromised. He knew it was coming, but considering the layered account protections used by the world's largest domain registrar, he didn't think the attacker would be successful. He was wrong. Within days, the attacker gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID.

70 comments

  1. Meh by grimmjeeper · · Score: 5, Insightful

    This is reason 363956 why you don't want to use GoDaddy to host your name or accounts.

    1. Re:Meh by Aighearach · · Score: -1, Troll

      Where did they dredge up this Soulskill guy? Are they sure he's a nerd? Since when is, "Golly gee, they're such a big company I just assumed they'd keep my stuff safe for me" something that we care about?

      Some idiot used a giant corporation and got treated like a cog. Good news for him, then; nothing went wrong, you're just experiencing the expected life of a cog. Some wear is expected. And when you're worn, you can be replaced.

      If you want to choose from one of the large registrars, at least check various consumer reporting entities. I doubt you'll find great reviews of "GoDaddy." The reviews might be what you would expect if you just looked at their name and stereotyped the sort of company that would name themselves that.

    2. Re:Meh by Anonymous Coward · · Score: 0

      So what is a good domain registrar to use? How do you determine a good one?

    3. Re:Meh by Nerrd · · Score: 1

      We use ENOM - who have proven to be a good balance between value and not-being-incompetent-@*@#&#s.

    4. Re:Meh by hcs_$reboot · · Score: 1

      So what's the alternative. I mean, not the alternative to godaddy, they're many, but how to prove yourself in case you forgot the password?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    5. Re:Meh by hcs_$reboot · · Score: 1

      namecheap

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    6. Re:Meh by CaTfiSh · · Score: 1

      Something along the lines of PayPal, where they place a small random charge to your bank account, or credit card and have you recite the amount would be a start. The old InterNIC offered PGP verification.

    7. Re:Meh by rthille · · Score: 1

      Gandi.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    8. Re:Meh by rthille · · Score: 1

      Notarized documents.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    9. Re:Meh by allo · · Score: 1

      Hard to do, because you usually do not need them to sign up. So what should they compare against.

    10. Re:Meh by rthille · · Score: 1

      Well, if they are going to accept "documents" (scans, easily edited), as proof of something, then really they should only accept real, notarized paper versions.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  2. Wow! Who knew! by Anonymous Coward · · Score: 0

    What's next?

    Go get a cup of coffee from a store owned by a company run by a bunch of rich white people and be implicitly called a racist?

  3. I call BS... by fuzzyfuzzyfungus · · Score: 5, Funny

    I'm not sure I believe this story. GoDaddy doesn't offer customer support, so how could the social engineers have spoken to them?

    1. Re:I call BS... by dissy · · Score: 1

      Wait a sec, you mean to say there isn't really a bunch of hot godaddy girls waiting on the edge of their seats just to talk to me??

      *dejected face*

    2. Re: I call BS... by Anonymous Coward · · Score: 1

      I know a few from the Iowa call center.

    3. Re: I call BS... by davester666 · · Score: 1

      Danica, is that you?

      Stuff like this always reminds me of John Candy playing Tattoo from Fantasy Island, lying on a desk, rubbing his thighs with his hands say "Chicks, boss. Chicks!"

      --
      Sleep your way to a whiter smile...date a dentist!
  4. Should sexist developers have hosting removed? by Anonymous Coward · · Score: -1

    Should sexist opensource developers have their projects censored or removed?

    Recently an opensource game release story was removed due to the game developer's open sexism(0) and harrasment(1) of women in tech.

    A story posted by the editor of the popular Phoronix linux news site about a release of an Open Source videogame was later manually removed(2). The reason cited was the game developer's unacceptable views on social issues such as gender equality (3).

    The release story was titled "Xonotic-Forked ChaosEsqueAnthology Sees New Release - Phoronix" and can be accessed via the google cache(4).

    With the recent inclusion of a code of conduct(5) for those wishing to contribute to the Linux Kernel some questions now need to be asked and answered about the inclusion of code from people who are known to engage in or promote socially unacceptable attitudes or harrasments of those whom the free-software movement would prefer to attract in their place:

    * Are the social or political views of an author of free software relevant to that software's inherent quality?
    * Should the beliefs of an opensource developer weigh when when evaluating whether a piece of opensource software is worthy of any publicity or public notice?
    * Should men with unpopular or "forbidden" views be excised from the opensource movement and "not allowed" to contribute, in a manner similar to that which is done in employment?
    * Has the free/opensource software movement changed in these respects since its founding? If so is this a positive change?
    * Should there be gatekeepers to opensource that decide who may and who may not contribute. Should abusive developers be "blackballed" to maintain proper social order and controls?

    and

    * What are the consequences of not doing this

    Citations:
    (0) Past related incident: http://esr.ibiblio.org/?p=1310
    (1) http://geekfeminism.wikia.com/...
    (2) Removed story URL: http://www.phoronix.com/scan.p...
    (3) http://www.phoronix.com/forums...
    "Fortunately, the article has been removed now."
    "Thanks everybody for speaking up."
    (4) https://webcache.googleusercon...
    (5) Linux "Code of Conflict"

    1. Re:Should sexist developers have hosting removed? by Anonymous Coward · · Score: 0

      Should there be gatekeepers to opensource that decide who may and who may not contribute. Should abusive developers be "blackballed" to maintain proper social order and controls?

      Depends... is you name Hans Reiser?

    2. Re:Should sexist developers have hosting removed? by allo · · Score: 1

      I like the sexiest opensource developers, but moderate sexy ones are okay, too.

  5. Oh noes! by Anonymous Coward · · Score: -1

    Has someone informed Fox News? They can call it Godaddygate oder Benghadddy!

  6. No Duh. by Anonymous Coward · · Score: 1

    Really? Never heard of Identity Theft. Anybody can do the same thing and walk out of a bank with all my money. Unless you are recommending some sort of National ID system hard coded to my DNA, then these type of "hacks" will always happen, or at least you will know its your twin who stole it.

    1. Re:No Duh. by david_thornley · · Score: 4, Interesting

      If somebody does that and removes money from your bank, the bank is going to have to show it was really you, or that there was sufficient authentication by a route you agreed to. A conversation with a bank employee and a photoshopped ID are not going to be considered sufficient authentication. If it turns out the bank was liable, it is going to have to restore the money, and it will be able to do so. Recovering the money fraudulently taken from the bank is, after that, the bank's problem.

      There have been cases where stolen domains (where the evidence is clear) are never returned. It seems to depend on the registrar, and that's a good reason not to use GoDaddy.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    2. Re:No Duh. by Eravnrekaree · · Score: 1

      Okay. What registrar do you recommend using?

    3. Re:No Duh. by rot26 · · Score: 2

      namecheap.

      Not affiliated, blah blah blah and so on and so on.

      --



      To ensure perfect aim, shoot first and call whatever you hit the target
    4. Re:No Duh. by Anonymous Coward · · Score: 1

      namesilo

      I use them for about 10 domains.
      The price is right. They also include a ton of stuff for free, like whois privacy,
      I've configured it to email me every time there is any action with the account, even just a login kicks off an email immediately.

    5. Re:No Duh. by AmiMoJo · · Score: 1

      I've used this technique before. A company needed a recent bank statement scanned to comply with money laundering rules or some rubbish. I don't have paper statements any more, and an electronic one wouldn't do. So I scanned an old one and shopped a recent date in.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  7. Photoshop? by Anonymous Coward · · Score: 0

    I use Gimp for Linux.

    1. Re:Photoshop? by Anonymous Coward · · Score: 0

      I hope that's a free range CPU you're using.

  8. Thanks for teaching the criminals how to do it by Anonymous Coward · · Score: 0

    Most secure systems can be overcome by a clever con artist. I am not a fan of GoDaddy, but they are not the only ones who could be tricked in this way. All you have really done with this article is teach the criminals how to con and trick their way past many company's standard security policies.

    Thanks for that.

    1. Re:Thanks for teaching the criminals how to do it by CaTfiSh · · Score: 1
      I suppose you are against vulnerability reporting as well? Bringing issues to light is a way of raising public awareness to force pressure towards resolution.

      It doesn't require any special skill to exploit weak authentication requirements, so I doubt the article will result in a mass theft of domains.

      This is exactly why I used PGP verification with InterNIC back in the day.

  9. Godaddy are thieving wankers dot com by Dr_Barnowl · · Score: 5, Interesting

    ... is the name of a domain name I searched for on their site to see if they'd bite.

    A few years ago I thought I'd buy a domain for myself. Went and searched for it on their site. NEVER DO THIS.

    It wasn't taken.

    I ummed and aahed and slept on it.

    I came back. It was taken. By Domains By Proxy LLC. Who are owned by GoDaddy.

    It seems to have been sold on to another speculator, unless Afternic are them too. (I just checked. Afternic were bought out by GoDaddy in 2013).

    I own the .co.uk variant of it now. I used GANDI, who by all accounts, are not wankers.

    So, if you want a domain, be prepared to buy it on the spot if it's available. And use a registrar who aren't arseholes.

    1. Re:Godaddy are thieving wankers dot com by Anonymous Coward · · Score: 0

      GoDaddy threatened to seize all of my domains with them if I didn't pay a $199 "fine." Apparently, this happens to a lot of their customers.

    2. Re:Godaddy are thieving wankers dot com by cdrudge · · Score: 3, Informative

      I don't know if Godaddy speculates under Domains By Proxy, but Domains By Proxy is what they also list any account that has enabled the "whois privacy" feature to mask their contact information. It's possible you were just a victim of bad luck.

    3. Re:Godaddy are thieving wankers dot com by Anonymous Coward · · Score: 0

      This happened to me too. Many years ago. I also looked into who bought my name and it was a sub of the registrar. And God help you if you are registered with GoDaddy and you let your domain expire. You won't believe how much they will want to reinstate you. Thousands if you are small, much more if you are a popular site.

    4. Re:Godaddy are thieving wankers dot com by jonow · · Score: 1

      I have encountered this same exact scenario multiple times. Go looking for domains, the next day they are all taken.

    5. Re:Godaddy are thieving wankers dot com by Dr_Barnowl · · Score: 4, Insightful

      For a 2 word .com domain name that had been previously unregistered for 30 years? And was registered for the first time shortly after I fed it into a whois query box on their site?

      No. There's no coincidence there.

    6. Re:Godaddy are thieving wankers dot com by jd2112 · · Score: 1

      Perhaps a good way to get back at them is to write a script to constantly search for bogus domain names so that they keep buying them up.

      --
      Any insufficiently advanced magic is indistinguishable from technology.
    7. Re:Godaddy are thieving wankers dot com by Bender+Unit+22 · · Score: 2

      I experienced the same with a Danish DNS company 15 years ago. I came up with a good name and short, never registered before. Filled out the form and paid with credit card, only to have it rejected the next day because it all of the sudden already was registered by the same registrar but to some odd company I could not find any information on.

    8. Re:Godaddy are thieving wankers dot com by rot26 · · Score: 1

      No, no coincidence. This has happened to me multiple time, though not with godaddy because I've never been tempted to use them. It's such a simple, obvious bit of asshattery that many registrars do this, although (excuse my lack of definitive information) I don't believe they actually register the domain name, there is some additional asshattery that allows them to tie the name up for a short period without actually having to pay money for it... which means that after a few days (???) it will become available again. Of course, everything I just said could be wrong.

      but I don't think so

      --



      To ensure perfect aim, shoot first and call whatever you hit the target
    9. Re:Godaddy are thieving wankers dot com by Anonymous Coward · · Score: 0

      I had the same issue, but it was on a random WHOIS site.

      I wanted to see if the domain was taken before I would go and open a company name based on it. Lo and behold, GoDaddyied by Proxy.

      The only weird thing is, they didn't allow me to buy the domain back for some reason.

    10. Re:Godaddy are thieving wankers dot com by Anonymous Coward · · Score: 0

      That type of behaviour seems vulnerably to a DoS-type attack. You know, like if everyone started querying domains, faining interest.

    11. Re:Godaddy are thieving wankers dot com by sribe · · Score: 4, Interesting

      ...there is some additional asshattery...

      There is some period for which they can register, then cancel, without paying fees upstream.

    12. Re:Godaddy are thieving wankers dot com by v1 · · Score: 1

      there is some additional asshattery that allows them to tie the name up for a short period without actually having to pay money for it

      This was called "domain tasting", and the guise it was made under was to "allow a customer to put up a web site under a new domain name to test it out and sample it to see if they wanted to purchase it". This is of course a silly concept, you don't need to have the domain name in its final form to decide whether or not your web page works. What it DOES do is encourage this squatter behavior.

      When they first started allowing that, there were suddenly millions of domains in a continuous "sampling churn" by the squatters. ("In April 2006, out of 35 million registrations, about 2 million were permanent or actually purchased." ie 94% of active domains were being "tasted") Getting a domain during that period without paying a squatter hundreds or thousands for it was very difficult. They had five days to decide whether to purchase or not, but then could just immediately (within seconds?) re-request a tasting, essentially keeping the domain locked under their control until you paid them off.

      In 2009 ICANN made changes to mostly eliminate the free tasting when done in bulk. This helped a lot but there was still a lot of squatting going on. They made one more tweak, and after that the tasting was down to under ONE PERCENT of what it had been a year before. They called it good at that point.

        But someone above mentioned such a squatter being actually owned by the registrar, which really "tastes like" fraud to me.

      --
      I work for the Department of Redundancy Department.
    13. Re:Godaddy are thieving wankers dot com by CaTfiSh · · Score: 1

      This has been going on for a long time, and not just with GoDaddy. There was quite a bit written about it a number of years ago, which included ISPs selling lists of unresolved DNS queries. Thus, along with misspellings, people checking to see if a domain name was available were finding them quickly snatched up.

    14. Re:Godaddy are thieving wankers dot com by Jack+Griffin · · Score: 1

      Why not just register everything? Keep a cycle of registrations and cancellations going so you can fuck everyone over by owning everything all the time?

    15. Re:Godaddy are thieving wankers dot com by sribe · · Score: 1

      Why not just register everything?

      Combinatorial explosion. No way to register "everything"; no practical way to predict what will actually be requested.

    16. Re:Godaddy are thieving wankers dot com by Jack+Griffin · · Score: 1

      This is the age of big data. Every combination of up to 10 letters and numbers is only 3 quadrillion records. I can't imagine that would be impossible for a motivated party. If you wanted to be a little more sensible, run those combinations through a dictionary and you easily knock a few orders of magnitude off the scale.

    17. Re:Godaddy are thieving wankers dot com by Anonymous Coward · · Score: 0

      So you're saying we can bait GoDaddy to buy bad domains? Like if I were to go there now and search a bunch of domain names no one would ever want, I can make them waste their money?

    18. Re:Godaddy are thieving wankers dot com by Anonymous Coward · · Score: 0

      Unresolved DNS queries? Really? That seems highly unethical for anyone to do that as it counts as spying in my book.

      I tested it with GoDaddy the other day or something like that.
      Tried: registermenowsearch.com
      Now it says, "Sorry, that name is not available for registration. Please try again."

      Now, Network Solutions says it is available. So, I'm thinking GoDaddy is placing a hold on it internally, and not actually registering anything.

  10. y/uo Fail It! by Anonymous Coward · · Score: -1

    man walkIng. It's PPor priorities,

  11. Fake Story to drive clicks on the article by Anonymous Coward · · Score: 1

    Don't feed the huckster as I inadvertently did...

    On the 1st page, I was confused by the alleged victim writing his description of the attack in the wrong person... then on page 3 you learn that the so-called "attack" on which the article was based is actually a fake attack (by the author, looking to boost hid street 'cred' as a security guru?) on an account setup just to be attacked for this article.

    This sort of "story" is nothing but a dishonest ad, erroneously promoted on Slashdot.

    [ben stein voice]Editor? ... Editor? ... Editor? [/ben stein voice]

  12. Photo ID over the internet is STUPID by Anonymous Coward · · Score: 1

    I've noticed that a lot of companies demand a photo id to verify your identity when they have doubts. I refuse to ever do it for two reasons:

    (1) Its practically inviting identity theft. I mean W T F? How do I know some disgruntled employee isn't keeping a copy of every scanned ID that comes in and then selling the info on some darknet market?

    (2) Its totally forgeable. There is no way they verify that a scanned ID has not been photoshopped, all the anti-forgery stuff on them depends on it being the original copy, duh. It isn't like they can pull up a copy from the DMV. Some DMVs do sell the raw data (the ones that still do let you opt out of being sold when you get your license), but they sure don't sell a picture of the ID.

    It has got to be one of the stupidest, ineffectual, bass-ackwards policies I've seen. And yet it is so common.

  13. Wow... by Lunix+Nutcase · · Score: 0

    Wow, guy who owns the account managed to get access... to his own account. Wow, what a great story, bro.

    1. Re:Wow... by Anonymous Coward · · Score: 0

      Wow, guy who doesn't read the article, or even the summary, managed to get his comment 100% wrong. Wow, what a great response, bro

    2. Re:Wow... by Lunix+Nutcase · · Score: 1

      I did read the article. The guy worked with someone else to get access to his own account.

  14. Gimped by markdavis · · Score: 0

    >"gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID."

    Are you sure it wasn't a "Gimped ID" or any number of other programs? Yeesh.

    Hint: "photoedited" ID.

    1. Re:Gimped by Lunix+Nutcase · · Score: 2

      Yes, they are sure.

      "This was probably overkill, but I’m a perfectionist when it comes to these things. The subtitles in the driver's license seal were no match for Photoshop's 'content aware and replace' feature. It wasn't perfect, so the majority of my time was spent pushing pixels until it looked right. A little blur and grain go a long way to making something look authentic," Mr. Troia said.

    2. Re:Gimped by kindbud · · Score: 1

      Well if you're going to cry about it, here's a kleenex. And to help make you feel better, please have some jello. If you don't get the joke, google it.

      Now if you'll excuse me, I have to xerox and fax my ID somewhere.

      --
      Edith Keeler Must Die
  15. Ideally, I'd want a registrar that does PGP. by Dr_Barnowl · · Score: 1

    They should only accept orders as signed emails from a public key you provide on first registration.

    1. Re:Ideally, I'd want a registrar that does PGP. by Anonymous Coward · · Score: 0

      And if you lose that key, you lose access to the account and all of the associated domains?

      What's up with people making so much noise about this but not offering any solutions? "That's bad..." but there's no "this is how you do it" that makes any sort of sense. Must just be a waste of an article. Anyone who expects their registrar to be DOD-certified and "unhackable" is an utter fool. At the end of the day, they all have to deal with grandmas.

  16. Barriers to transferring away from GoDaddy by whoever57 · · Score: 4, Informative

    I recently transferred one domain (I plan to transfer the rest), but came across an interesting issue in the process. The domain used a proxy registration to hide my information (as recommened in TFA), but, in order to allow the transfer, I had to disable the proxy registration and make it public. Thus, for some time, my privacy protection was not effective. Now this wasn't a big deal for me, but it could be for others.

    Also, note that GoDaddy's domains by proxy makes the total cost of a private domain registration far higher than many other registrars.

    --
    The real "Libtards" are the Libertarians!
    1. Re:Barriers to transferring away from GoDaddy by Anonymous Coward · · Score: 0

      Yes, I had this exact issue, and it was a big deal for me. It's only luck that (so far) nothing seems to have come of it, although it's possible someone somewhere has my info.

    2. Re:Barriers to transferring away from GoDaddy by CaTfiSh · · Score: 1

      For the benefit of anyone tired of paying to be cloaked, Google Domains offers privacy free of charge.

    3. Re:Barriers to transferring away from GoDaddy by C0dey · · Score: 0

      That's what has kept me from leaving GoDaddy. You confirmed what I was afraid of :/

      --
      My karma is bad because I'm a bad person.
  17. A callback needs to be mandatory to change account by roman_mir · · Score: 1

    While it's cool to shit on GoDaddy here, it is not only that company that can fall to this type of an attack. They have to implement better security features themselves rather than just trying to sell their own version of 'security' to their customers (extra $$$ for preventing your name and email and whatever else, possibly address from being queried by whois).

    I think at the very bare minimum they can implement some sort of a secure word / pin / voice password and maybe a call back to a phone number as a secondary measure.

    --
    You can't handle the truth.
  18. Re:A callback needs to be mandatory to change acco by Anonymous Coward · · Score: 0

    This is an obvious example of needing government legislation to make companies behave properly.

  19. This method has been around for some time.. by Anonymous Coward · · Score: 0

    You'd think GD would get their shit together, but they never do.

  20. Re:A callback needs to be mandatory to change acco by Anonymous Coward · · Score: 0

    Wrong, it is not. Bad PR and people using or not using the service is all that is needed. Government violence is never the answer.

  21. man versus machine by Anonymous Coward · · Score: 0

    Sat 3/21/2015 9:53 am. The story simply demonstrates that dedicated human guile will likely win. The point of most security is to make cheap *robot* attacks harder.

    After all, if the security guy failed to get through the telephone approach, he could hire a cute girl to suborn someone in the company -- for enough $. And if that didn't work, he could kidnap somebody, etc.

    But if you think a service with hundreds or millions of users is proof against high-level efforts, you are dreaming.

  22. NFS.net lets you configure your paranoia level.... by gurnec · · Score: 1

    NearlyFreeSpeech.net offers many TLDs (not all) for registration. If you use them for DNS, their config page isn't that great IMO (it's a bit slow and cumbersome), but I like just about everything else about them.

    Relevant to TFA: you can configure how many "recovery actions," between 2 and 7 (default: 3), which are required before you're granted access to lost account credentials. They also offer a "scorched earth" option: if you lose access to your account, it's gone forever (any associated services will persist until the account runs out of funds).

    Screenshot of NFS.net account recovery settings