GoDaddy accounts vulnerable to social engineering and Photoshop

GoDaddy's layered verification protections defeated by a phone call and four hours in Photoshop

1 2 3 Page 3
Page 3 of 3

What happened to my account is something that could happen to any account.

Compromised GoDaddy account page

There was no document verification performed and the ID submitted by Mr. Toria used an image that looks nothing like me. From social engineering, to the crafted social media profile, fake ID and email account, this was a classic example of a targeted attack from start to finish.

An account takeover such as this allows an attacker to use the hijacked domain to create code-signing certificates. It could be used to impersonate someone's personal brand, and leverage said brand to target customers, fans, or business partners.

An attacker could develop any number of domains and use them for a watering hole attack, or alter DNS and direct visitors to a server under their control.

In fact, such tactics are a favorite of groups such as Lizard Squad and the Syrian Electronic Army, who target hosting accounts for exactly those reasons.

"If [the attackers] wanted to be slick about it, they could gain access, insert their code, create backdoor admin accounts, and return access back to the original owner before they even knew what had happened. The owner would receive the confirmation email, see that their website is still online, and consider it a Phishing attack and just delete it," Mr. Troia said.

GoDaddy isn't the only major domain registrar to use photo ID as a last resort. Network Solutions also has an ID-based verification, but unlike GoDaddy, the ID and required documents must be faxed over, instead of uploaded. Interestingly enough, one domain registrar,, doesn't allow photo ID as a form of verification, because "anyone could just whip something up in Photoshop."

Using GoDaddy's DomainControl and privacy features, which are offered as a value-added service for an additional cost, would only slow a determined attacker. While the public can't see the registration details, the support staff can. So an attacker armed with public information could abuse the change of account form.

Mr. Troia hopes that by exposing the logic flaw in their security model, GoDaddy will implement tougher verification procedures, but admits it's a paradoxical situation. A valid government-issued ID should be an acceptable form of verification, but it's clearly not enough.

Two-factor authentication isn't viable either, he said, because if someone hijacks the domain and enables that protection after the fact, then the customer would be left with few options for reacquiring access to the domain.

"The reality is that if I register a domain, I should have some idea of what credit card was used to pay. In your case, the domain was registered a few days ago, so it's not as if I would have no record of it. I could have pulled up my bank statement and gotten the last four digits," he said.

"This [change of account form] probably exists to help the customer gain access to their domain in the event of an issue, but we have clearly shown that there isn’t enough security to protect the customer from having their domains stolen."

GoDaddy did attempt to contact me via email and inform me of the registration changes, including the new DNS settings that Mr. Troia applied to a domain recently purchased for this story.

Unfortunately, that email came long after he had reset the account password. A follow-up email didn't arrive until nine hours later. If this attack had been real, it would have been too late. The domain where the GoDaddy warning was sent is on the same account that was compromised.

So what can consumers and organizations do to protect themselves from this type of attack?

"The best thing  you can do is setup domain privacy, which makes it more difficult because I would need to find the private contact information, which can easily be done with DomainTools; then go through or whichever company is keeping the domain private," Mr. Troia explained.

"Do your due diligence. If you're really worried about the security of your domain (as you should be), find out what security protocols the registration company has in place. Ask your registration (or hosting) company what safeguards they have in place in case your account is hijacked. How will you get it back? Hacking is pretty common now, so they should have an answer ready."

When asked for a comment on this story, as well as answers to a number of pointed questions on the limits of their customer support staff and the existence of an account reset form, GoDaddy only responded with a single statement:

“GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”

Copyright © 2015 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
8 pitfalls that undermine security program success