CircleID

Could it be that the target of the phishing here is not so much the domain name as access to the hosting facilities which GoDaddy also offers? The ability to construct websites under subdomains of existing domains would be quite useful from the perspective of the generic cybercriminal. After all, they aren't in the business of building brand recognition — they are in the business of churning through identities quite rapidly.

There is a lot of "take" in a registry + hosting facility that a phisher will find attractive, besides the scenarios you and Ed mentioned.

1. Access to the user's ID / name / address / CC etc stored in his whois profile.

2. Ability to sign up scam domains using the stolen accounts. If they signup several dozen domains using stolen cards, and use a single account to do it, the registrar can easily take them down.

3. How many people (e&oe domainers) check their accounts with a registrar carefully, every day?  As compared to checking, say, their gmail or ebay accounts?

srs

There is a lot of energy behind DNSSEC for this purpose.  DNSSEC digitally signs and locks DNS records in order to secure the database.  There are many reasons for doing this, one of which is to thwart the man-in-the-middle attack.  Without the proper keys, altered DNS records will not verify and will not therefore resolve.  Alternatively, DNSSEC creates a single point of failure in an otherwise disaggregated system - the crypto key.  If the key for signing the DNS root gets compromised, first the database is now exposed and second the root must now engaged in a key roll-over (replace the old compromised key with a new key) which apparently quite hard.  Many are experimenting with DNSSEC but it is not without its doubters.  http://www.cybertelecom.org/dns/security.htm

DNSSEC protects against unauthorised changes to DNS records. If you've been phished, the attacker has your authentication credentials, and DNSSEC won't help you.

So Go Daddy has to worry about potential customers complaining of their searched domain names being swiped, their clients' domain names being hijacked, and now this. That's one price to pay for being arguably the most popular. :P

I've since read of people who have forwarded that same email to Go Daddy. I've yet to see any response from them as of this post, although I'm sure they're on top of it.

I’ve since read of people who have forwarded that same email to Go Daddy. I’ve yet to see any response from them as of this post, although I’m sure they’re on top of it.

Godaddy is part of the anti phishing working group (www.apwg.org) - so I am reasonably sure they have access to some good sound anti phishing best practices.

As do most of the other phish victims out there.

That doesnt stop phishers from targeting them.
And that doesnt stop ignoramuses from falling for phishes.

That's about all they can do to "be on top of it".. except possibly for something like "we wont ever send you email, any communication with us will be through our website" like several banks do.

Godaddy just gave away one of our most valuable domains. We can't figure out how they did it but godaddy is complicit in their failure to provide a simple verification email to us to confirm or deny the transfer. It was quite simple for the thief but not so easy to get it back. It will cost us thousands to get it back. Godaddy basically told us to go pound sand. To get this back we have to file a cease and desist letter through an attorney. Then after a predetermined period of time if the crook fails to comply then we have to file a formal action with ICANN or better put "ICANNT" and give them $1,500.00 to impanel a board of arbitrators!

Total bill with all legal fees could reach several thousand dollars.

I got hosed by godaddy and Bob Parsons didn't even send me flowers.