Only last week I posted about another phishing scam targeting GoDaddy clients, this client only just bought his first domain last week. He knew nothing should have been changed, so luckily when he got the email notification “Status Alert: Domain Change Notification #5361” he forwarded it on, they are obviously watching the new domains propagate and grabbing the owner’s real name from the “who is”, fairly well targeted.
Subject: Status Alert: Domain Change Notification #5361 Dear Valued GoDaddy Customer Larry LastName. This notification is generated automatically as a service to you We have received a request that the name servers be changed for the following domain name(s): larrys_domain.com If you are monitoring this name with Domain Backorders, the above change is also displayed in the Monitoring and Backordering section of your Account Manager. Use the link below: https://alert.godaddy.com/la.aspx?security=d0bb8259d8fe3c7df4554dab9d7da3c9 (linking to CompromisedSite.org/wp-includes/css/eemimhqezt.php?eemimhqezt=d0bb8259d8fe3c7df4554dab9d7da3c9) Sincerely, GoDaddy Domain Backorders team
It doesn’t at all look like the real Domain Change Notifications that GoDaddy send out (pictured on left), and there is some unusual grammar, the page that it links to on the compromised site is identical to the last phishing page I wrote about, again designed to steal GoDaddy clients username and passwords.
GoDaddy do have a private registration option that would have blocked this targeted abuse, but as they charge $7.99 a year for .COMs, nearly doubling the cost of registration, few people choose this additional extra.
Other top level domain names registrations I am aware of, such as .co.uk include the privacy option for free to non business customers, it might be time for all TLDs to follow this practice.
Update 26th April 2015:
This page has seen a huge increase in visits the last couple of days, as this post is 4 months old I can only think the scammers have become very active.
That said, from a dozen or so people who have contacted me that had fallen for it, none of their accounts were hijacked and they changed their passwords so have full control of their GoDaddy accounts, but it would be a good idea to check what the last IP was that logged into your cPanel (it’s there on the right) and to have a poke around for new or altered files and/or run a malware scan, you can use the Sucuri malware tool at the top of the right sidebar here.
Hello Mike, I received that mail today and was estrange because I did’t move anything. So I started to investigate about it and found your post. The mail looks so real. And even the addres. This is the addres:
Godaddy
I’m going to make some changes and pay the $7.99 to block my information. Thanks for sharing the information.
Sorry for call you Mike Marc xD. My mistake.
Lol, that’s OK, I’ve been called far worse. So pleased my posts help out. Personally I won’t pay the extra, I think that’s a exorbitant fee, on .co.uk’s and .ca’s hiding your contact information is a free service, and there is no reason it should be charged for. But I am in the fairly unique situation of seeing all these scams a mile off, actually I welcome them, so I can feed my hobby of exposing them.
I just got one! I clicked on the link but did not log in… when i went to the page to log in the first thing I noticed was the website name. It took me to that page you log into when you session time out… first mistake…. Then i decided to go back to the email and look where it came from… it had everything go daddy…. so i went ahead and opened a new tab and logged into Godaddy the way I always did. Not notifications in my account. I then called a friend and he told me to call Godaddy and something told me to use Google when I came across this page. This really confirmed it. But i had another email a few hours after for a friend request but don’t list the social media it’s from and under the wrong tab. reported it to gmail and Godaddy.
I received this today as well, I was on my I phone at the time, I believed it was real and stupidly clicked into it. I never click links so I feel really stupid for falling for it. (honestly thought it was real, I only got my domain last weekend)
Now I have clicked on it I’m kind of worried my phone now isn’t safe, what does it mean now I have clicked into it?
Thanks
Gemma
That should be OK, as long as you didn’t enter your GoDaddy username and password, the version I saw of this was just phishing for them, it had no malware on the page, it was only stealing your login. If you would like to forward me a copy of the email I can confirm that for you. Really don’t feel stupid, this is very real looking and highly targeted.
This happened to me last night. Identical wording but my hosting is from HostGator. Looks legit and everything. I submitted a ticket to them but haven’t heard anything. I seriously thought it was something they generated or someone trying to get into my c panel but if it’s fake, they are doing an amazing job of impostering the company. I did click on the link though to login, so hopefully nothing bad is happening. It’s really wracking my brain right now and I’m just getting upset and anxious about it.
Thank you Anni for passing that along, I have sanitised it so there are no identifiers and hopefully this will help other HostGator clients from getting stung.
It is the same targeted phishing email, but against a HostGator account, and yes it’s very convincing,
You’ve done the right thing changing your password, and bringing it to the attention of HostGator, yes they will be slow to respond.
From: HostGator
Date: March 2, 2015 at 8:24:32 PM PST
To: removed
Subject: Account Notice : Error № 8018
Dear Valued HostGator Customer REAL NAME WAS HERE.
This notification is generated automatically as a service to you.
We have received a request that the name servers be changed for the following domain name(s):
somedomain.com
If you are monitoring this name with Domain Backorders, the above change is also displayed in the Monitoring and Backordering section of your Account Manager.
Use the link below:
https://portal.hostgator.com/check.aspx?nw=removed_identifier
(which actually linked to http:// rostdlaresnic.ru/html/misc/tvyokmikwp.html?tvyokmikwp=REMOVED_IDENTIFIER)
Thank you,
HostGator.com Support
Toll-free: 1-866-96-GATOR
International: 001-713-574-5287
Hello,
I received the same email a while back – ignored it because I was pretty swamped, just did a search and found your site…thanks for posting!
===========
From: Godaddy
Sent: Thursday, January 8, 2015 7:50 PM
Subject: Status Alert: Domain Change Notification #:2598
Dear Valued GoDaddy Customer Real First and Last Name.
This notification is generated automatically as a service to you.
We have received a request that the name servers be changed for the following domain name(s):
ActualWebsite.com
If you are monitoring this name with Domain Backorders, the above change is also displayed in the Monitoring and Backordering section of your Account Manager.
Use the link below:
https:// rm.godaddy.com/whois.aspx?sec=95c9d994f8d75d4d60f8bb8f25902339
Sincerely,
GoDaddy Domain Backorders team.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Copyright (c) 1999-2014 GoDaddy.com, LLC. All rights reserved.
Did you really have that domain listed with “Back Orders”, if so that would be more worrying, because that information could not be found on who is and must have come from the inside.
Well… I clicked the link… Then filled out my details… A few times because the site didn’t seem to be working! I only then contacted Go Daddy to fix their freaking site and ask what’s going on. Only to be told by a nice lady that it was spam. I felt pretty silly, I normally see these a mile away. Since then, I have changed my password but what else can I do to make sure nothing else was compromised? I am on a Mac if that makes a difference.
This page has seen a huge increase in visits the last couple of days, as this post is 4 months old I can only think they have become very active.
That was a bit misleading of GoDaddy, it’s not spam at all, it’s a targeted phishing attack.
That said, from a dozen or so people who have contacted me that had fallen for it, none of their accounts were hijacked, it would be a good idea to have a poke around for new or altered files or run a malware scan, you can use the one at the top of the right sidebar.
I have just seen this..after i clicked the link 🙁
I immediately logged back in on another PC and changed all my passwords.
I rang Godaddy and said the email came from support@…
They told me that they no longer have access to that email and its spam.
My question is, how can someone else use that email address without access to their server??
I hate that they are calling it spam, it just isn’t. That said, they would know that your account was unbreached when you contacted them, as I would hope they are checking that no unexpected logins would have shown up in their backend.
Regarding email “from” addresses, they are surprisingly easy to falsify, or spoof, and even easier if you are sending them from a hacked rented godaddy clients server, i don’t know if thats the case here as I have not seen the recent abusers email headers, you can mail them to me if you like (don’t post that publicly).
I received the same email this morning. The domain in question was purchased 2 weeks ago and has nothing on it.
I tried to log in and change my password on GoDaddy and it tells me I am unable to change it, the last 5 password attempts failed.
You best call GoDaddy 866-938-1119 urgently, and tell them what has happened.
I do webdesign work and take care of all of the registration and hosting for my clients. I received this email today and found your blog about it! Thanks for keepin a look out!
Just received the link & clicked on it… the website just felt wrong so I googled & landed on this page.
Thanks & hope that simply clicking on the link doesn’t compromise my access.
Got the email, clicked it, gave the details and then googled to find this page. I guess I am myself to be blamed for being stupid to actually click a link without checking and secondly going for a spammy godaddy domain. I wonder if godaddy themselves resort to such activities to force buy the privacy protection ?
Thanks Marc for this page, learnt a lesson today !
I got very similar email (See Below). I have had this domain for over a year.
This what i got:
_____________________________________________________________________
from: Godaddy
to: (my email address here)
date: Wed, Aug 19, 2015 at 4:58 PM
subject: Status Alert: Domain Change Notification № 1962
mailed-by: srv34-h-st.jino.ru
Dear Valued GoDaddy Customer (my name here).
This notification is generated automatically as a service to you.
We have received a request that the name servers be changed for the following domain name(s):
(my website here)
If you are monitoring this name with Domain Backorders, the above change is also displayed in the Monitoring and Backordering section of your Account Manager.
Use the link below:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Sincerely,
GoDaddy Domain Backorders team.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Copyright (c) 1999-2015 GoDaddy.com, LLC. All rights reserved.
___________________________________________________________________
It went to secure https://sso.godaddy.com/?path=sso%2freturn&app=www I clicked and put in my info. Then I thought about it and thought it was odd to get an email like that. I quickly exited and opened up new browswer, signed into godaddy and changed password.
Not sure what all will happen but its ok there. Thanks for post on this issue.
That’s great, I would guess their abuse of accounts is not automated, not much they can do with your old password now, most I’ve seen came from russian mail servers, thanks for including the source.
Yep, just go same email today. Scanned the link and did not match a go daddy but was some obvious hackers russian. Logged in to my account all looks. never click on email links until you hover over them. I wish the mail servers would warn when link does not match text. Should be simple.
Wyatt: Great point about blocking phising mails, i.e. when the header information doesn’t match the “from” address!
I do agree, it is relatively easy to spot, in my case the name on top was wrong as well.
Peter
I just got one of these today myself after registering a new domain about a month ago. I knew it was fishy because the actual website address they were asking you to go to didn’t match the actual wording of the link. But it had me concerned enough that I checked my account (going to their actual website myself rather than following any link, of course). I didn’t see anything unusual, so then I went searching and found your article. Nice to have confirmation of what I suspected.
This is still going on, if you clicked the link you’re not alone…TRY THIS IF SO…
1. close the browser session to be safe
2. delete temp internet files to be safe
3. open browser, enter hosting url & login to your account
4. view your account details, click security settings
5. IF PARANOID = change usesrname, password & activate the PIN option.
6. IF NOT PARANOID = change your password to a new one.
7. FYI = I haven’t heard a reply about godaddy accts being hijacked after clicking the link, but it makes you fell silly and scared if you have.
* this is a legit phishing attempt, not spam & the URL being a .RU should tell you a lot.
** srv34-h-st.jino.ru = DO NOT VISIT THEIR SITE & REPORT THEM AS MUCH AS POSSIBLE!
Good Luck & Great Post “Marc”
Admin@TCIT
Still going on, received one today.
The text only email made me immediately suspicious, as legit Go Daddy correspondence is full of colour/graphics etc. The other was that they had the sender name in the wrong case.
I’ve become very parnoid about clicking anything these days, so did a quick search and found this article. Thanks.
Received one today. This one was a little sloppy – came to my email, but with someone else’s name. At least appears to be Russian origin, via a recently hacked server in India.
Delivered-To: me@myemail.masked
Received: by 10.107.58.198 with SMTP id h189csp1369647ioa;
Sun, 20 Sep 2015 14:22:17 -0700 (PDT)
X-Received: by 10.112.54.169 with SMTP id k9mr6161692lbp.95.1442784137435;
Sun, 20 Sep 2015 14:22:17 -0700 (PDT)
Return-Path:
Received: from srv49-h-st.jino.ru (srv49-h-st.jino.ru. [81.177.139.13])
by mx.google.com with ESMTP id g3si14045674lag.57.2015.09.20.14.22.17
for ;
Sun, 20 Sep 2015 14:22:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of topnatali@srv49-h-st.jino.ru designates 81.177.139.13 as permitted sender) client-ip=81.177.139.13;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of topnatali@srv49-h-st.jino.ru designates 81.177.139.13 as permitted sender) smtp.mailfrom=topnatali@srv49-h-st.jino.ru;
dmarc=fail (p=NONE dis=NONE) header.from=godaddy.com
Received: by srv49-h-st.jino.ru (Postfix, from userid 3060)
id AD983E7802D; Mon, 21 Sep 2015 00:22:16 +0300 (MSK)
To: me@myemail.masked
Subject: Status Alert: Domain Change Notification # 1136
MIME-Version: 1.0
Content-type: text/html; charset=UTF-8
From: Godaddy
Message-Id:
Date: Mon, 21 Sep 2015 00:22:16 +0300 (MSK)
Dear Valued GoDaddy Customer masked.
This notification is generated automatically as a service to you.
We have received a request that the name servers be changed for the following domain name(s):
masked
If you are monitoring this name with Domain Backorders, the above change is also displayed in the Monitoring and Backordering section of your Account Manager.
Use the link below:
url removed
Sincerely,
GoDaddy Domain Backorders team.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Copyright (c) 1999-2015 GoDaddy.com, LLC. All rights reserved.
yes, the ones I have seen lately are sloppy, no graphics like previous ones I saw.
Thanks, Marc, for the post!
While I spotted it pretty quick, it still leaves me with a strange feeling, like having your house invaded.
I love email, and these gangsters are making it more and more difficult, as many folks use texting and it happens frequently that emails are not responded too.
Bill Gates said a Decade ago that we’ll get this problem under control. In some ways, it is out of control, unless you establish thick walls (security) around you, which keep most of the creeps out.
Thanks again for your post.
BTW, my host was Hostmonster, and the phishers were indeed sloppy, and that gave it away for me.
Peter