Home / Blogs

Phishers Now Targeting Domain Registrars

Edward Falk

This is an issue of some concern and should be watched carefully: phishers are now trying to get passwords of domain registrants (domain owners). Currently, correspondents inform me that GoDaddy is the target, but there's no reason to think the phishers won't expand to other registrars.

Normally, phishers go after bank accounts or other financial information, or sometimes the online accounts of users so that they may send spam.

It's not known precisely why phishers are after domain registration information, but the possibilities are chilling. The most obvious danger is that the phishers might be trying to simply steal domains — recall the sex.com and register.com fiascoes.

One worst-case scenario which has been suggested is this: If a phisher were to successfully hijack the domain registration of a bank or credit union, they could surreptitiously redirect the domain name to their own servers and conduct a man-in-the-middle attack without the bank even realizing it's happening.

Dear GoDaddy Customer,

GoDaddy Customer Support Team requests you to complete GoDaddy Customer Online Form.

This procedure is obligatory for all customers of GoDaddy.

Please click hyperlink below to access GoDaddy Customer Online Form.

http://myaccount.session-47175729.godaddy.com/AccountConfirmation/account.aspx

Please do not respond to this email.

This mail generated by an automated service.

Copyright © 1999 - 2007 GoDaddy.com, Inc. All rights reserved.

Of course, the link provided actually goes to the phishing site, not to GoDaddy.

By Edward Falk, Computer professional
Follow CircleID on
Related topics: Cybersecurity, DNS, Domain Names, Email, Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Phishers Now Targeting Domain Registrars The Famous Brett Watson  –  Aug 07, 2007 8:15 PM PDT

Could it be that the target of the phishing here is not so much the domain name as access to the hosting facilities which GoDaddy also offers? The ability to construct websites under subdomains of existing domains would be quite useful from the perspective of the generic cybercriminal. After all, they aren't in the business of building brand recognition — they are in the business of churning through identities quite rapidly.

Re: Phishers Now Targeting Domain Registrars Suresh Ramasubramanian  –  Aug 07, 2007 11:38 PM PDT

There is a lot of "take" in a registry + hosting facility that a phisher will find attractive, besides the scenarios you and Ed mentioned.

1. Access to the user's ID / name / address / CC etc stored in his whois profile.

2. Ability to sign up scam domains using the stolen accounts. If they signup several dozen domains using stolen cards, and use a single account to do it, the registrar can easily take them down.

3. How many people (e&oe domainers) check their accounts with a registrar carefully, every day?  As compared to checking, say, their gmail or ebay accounts?

srs

Re: Phishers Now Targeting Domain Registrars Robert Cannon  –  Aug 08, 2007 11:41 AM PDT

There is a lot of energy behind DNSSEC for this purpose.  DNSSEC digitally signs and locks DNS records in order to secure the database.  There are many reasons for doing this, one of which is to thwart the man-in-the-middle attack.  Without the proper keys, altered DNS records will not verify and will not therefore resolve.  Alternatively, DNSSEC creates a single point of failure in an otherwise disaggregated system - the crypto key.  If the key for signing the DNS root gets compromised, first the database is now exposed and second the root must now engaged in a key roll-over (replace the old compromised key with a new key) which apparently quite hard.  Many are experimenting with DNSSEC but it is not without its doubters.  http://www.cybertelecom.org/dns/security.htm

Re: Phishers Now Targeting Domain Registrars The Famous Brett Watson  –  Aug 08, 2007 5:54 PM PDT

DNSSEC protects against unauthorised changes to DNS records. If you've been phished, the attacker has your authentication credentials, and DNSSEC won't help you.

Re: Phishers Now Targeting Domain Registrars Dave Zan  –  Aug 09, 2007 1:21 AM PDT

So Go Daddy has to worry about potential customers complaining of their searched domain names being swiped, their clients' domain names being hijacked, and now this. That's one price to pay for being arguably the most popular. :P

I've since read of people who have forwarded that same email to Go Daddy. I've yet to see any response from them as of this post, although I'm sure they're on top of it.

Re: Phishers Now Targeting Domain Registrars Suresh Ramasubramanian  –  Aug 09, 2007 4:12 AM PDT

I’ve since read of people who have forwarded that same email to Go Daddy. I’ve yet to see any response from them as of this post, although I’m sure they’re on top of it.

Godaddy is part of the anti phishing working group (www.apwg.org) - so I am reasonably sure they have access to some good sound anti phishing best practices.

As do most of the other phish victims out there.

That doesnt stop phishers from targeting them.
And that doesnt stop ignoramuses from falling for phishes.

That's about all they can do to "be on top of it".. except possibly for something like "we wont ever send you email, any communication with us will be through our website" like several banks do.

Re: Phishers Now Targeting Domain Registrars Jack Durban  –  Nov 09, 2007 7:47 PM PDT

Godaddy just gave away one of our most valuable domains. We can't figure out how they did it but godaddy is complicit in their failure to provide a simple verification email to us to confirm or deny the transfer. It was quite simple for the thief but not so easy to get it back. It will cost us thousands to get it back. Godaddy basically told us to go pound sand. To get this back we have to file a cease and desist letter through an attorney. Then after a predetermined period of time if the crook fails to comply then we have to file a formal action with ICANN or better put "ICANNT" and give them $1,500.00 to impanel a board of arbitrators!

Total bill with all legal fees could reach several thousand dollars.

I got hosed by godaddy and Bob Parsons didn't even send me flowers.

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign