GoDaddy accounts vulnerable to social engineering and Photoshop

GoDaddy's layered verification protections defeated by a phone call and four hours in Photoshop

godaddy fake license
CSO staff

On Tuesday, my personal account at GoDaddy was compromised. I knew it was coming, but considering the layered account protections used by the world's largest domain registrar, I didn't think my attacker would be successful.

I was wrong. He was able to gain control over my account within days, and all he needed to do was speak to customer support and submit a Photoshopped ID.

GoDaddy serves more than 13 million customers, who in turn place 59 million domains under the registrar's management. They have thousands of employees working across the globe who help staff the support and operations teams twenty-four hours a day.

Sometimes, customers forget their account number or password; perhaps they forget what email they've used to register a domain. In either case, GoDaddy's support staff are there to assist.

According to GoDaddy support, account resets are a simple process. If you've forgotten your username or customer number, you simply select the correct link at the login screen or account assistance page. However, you can also call customer support and complete the process over the phone.

Depending on the circumstances, a phone call will resolve most account related problems, provided you know your domain, the email address on file, customer number (or username), street address on file, or the last four digits of the credit card used on the account.

When Vinny Troia, the CEO of Night Lion Security, called GoDaddy and attempted to reset my account password, the representative who answered the phone followed all established protocols and attempted to confirm Mr. Troia's identity.

Armed with only basic information and no access to the account's primary email address, Mr. Troia should have failed. Yet, the exact opposite happened; he succeeded despite GoDaddy's layered protections.

"Initiating the takeover was a relatively simple process. I called GoDaddy and explained that I no longer had access to my domain. We reviewed and verified the WHOIS information - which really consisted of me reciting the WHOIS information back to the representative," Mr. Troia said, explaining the process of compromising my account.

"She asked if I had access to the email address on file, which I obviously did not. I explained that there were a lot of office politics at the moment that I didn’t feel like getting into. Long story short, it was my domain and I wanted access to it."

While this conversation was taking place, Mr. Troia's daughter was making noise while playing. This background distraction created just the setting needed for Mr. Troia to push his social engineering scheme. By acknowledging the distractions, it was clear that Mr. Troia had a good deal of things going on, so the support representative was more than happy to move the conversation forward and make the process painless.

1 2 3 Page 1
Page 1 of 3
7 hot cybersecurity trends (and 2 going cold)