Domaingang.com has been reporting on many domain names that have been involved in phishing attacks on Godaddy which have resulted in domain names being stolen out of Godaddy accounts.
Unlike most phishing attacks where someone uses a domain controlled by the phisher, to actually send the customers to which wind up appearing in the URL bar, recent attacks actually use domain names containing the register’s name, but are owned by third parties just like the one’s Godaddy recently warned its customers about.
As reported by DomainGang.com here are a few:
account-godaddy.com
godaddy-account.com
service-godaddy.com
services-godaddy.com
support-godaddy.com
Take the domain name support-godaddy.com.
It was first registered back in 2006 by a John Bazely of the UK where it remained registered until February 19, 2008 when it expired and was deleted. The domain remained unregistered until just several weeks ago on December 3rd of this year.
Why didn’t Godaddy register this domain in the 6 years that it was available?
service-godaddy.com and services-godaddy.com, which was just registered at the Chinese domain registrar eName Technology Co.,Ltd on June 3rd 2014.
Six months certainly is enough time to file a UDRP.
account-godaddy.com was registered on December 3rd of this year as well as godaddy-account.com
Hell three weeks is long enough to file a UDRP.
Godaddy like most major brands need to be on the look out for direct domain registrations and at least track what is being done with the domains. Are they just being parked or are they being used to mirror Godaddy.com site?
Once Godaddy or any other registrar gets a report of a domain containing its name being used for phishing then its the registrars responsibility to get those domain name shut down, by filing a UDRP, ASAP
jose says
it’s cheaper to look the other way
Acro says
Large organizations such as GoDaddy deal with plenty of bureaucracy already. I’ve recently reported these particular domains to GoDaddy as related to a series of documented domain theft incidents and I believe they will consider some action.
Of course, the usual tinfoil hat theorists might say it’s GoDaddy’s plan to have their own customers lose their domains to a Chinese conman’s phishing emails.
BullS says
Ain’t surprise one day all your domains at godaddy will be siphoned off to the Chinese’s servers.
ikehook says
Also why wouldn’t they send out security notices? I got around 6 emails all stating that I needed to confirm my Whois for ICANN. It seemed like the normal BS so I clicked the link and almost signed in, except that Chrome didn’t autofill my user name. The Phishing site was identical. So I forwarded one of them to my account rep, he said Yeah that’s a phishing site, Yeah no kidding, Why the hell wouldn’t you send out notices to make people aware this was happening?
Acro says
You mean, send out a few million emails that themselves can be spoofed as phishing attempts?
They did warn about this in September: https://garage.godaddy.com/godaddy/godaddy-customers-beware-email-phishing-attempts/
HireDomains says
Well I forwarded on a phishing email sent to me and stated it was my belief this was an attempt to get to the domain 6462.com, i never click on links and was of the belief my name was safe. Godaddy failed to respond to my email, I asked for the fraud to be recorded, they failed to offer me a two step verification login. After being a loyal customer for a number of years. Two weeks later the domain was stolen, now they say i have to subpoena them to see who had access to my account, they have not answered the question of why didn’t I receive an email alerting me of the transfer ?? Money and Power corrupt, As far as i am concerned Godaddy are corrupt. The way they treat their customers is disgusting !
Louise says
Nice reporting! Here is a reward, a video of a cool performance by a rising artist:
Louise says
I could take a lesson: jesse j is working like the rent is due! 🙂
Louise says
The missing piece is Godaddy-Support.com not on acro’s list. Here is the creation date:
Godaddy-Support.com
Creation Date: 2014-03-09T14:56:03Z
eNomSupport.com was registered by the same entity, 3 seconds earlier:
eNomSupport.com
Creation Date: 2014-03-09T14:56:00Z
Acro, it’s hard to email you. The form on Acroplex.net lost my comment, when I didn’t enter the # right. It’s hard to type in the privacy email on your whois.
There are lively blogs in Chinese and German, where services-enom have done some phishing among Registrants. One site warns:
8、不要点击假冒enom的邮件,这种高访邮件往往让你输入enom账号和密码,真的enom邮件是不会让你登录的。 name-services.com是enom公司的,而最近黑客的高仿域名services-enom.com,居然是在国内易名注册的,但是很多人上当
He means, don’t be fooled by phishing url services-enom.com, when it is name-services.com that is the enom confirmation email.
Name-services.com is parked and under privacy. Can eNom be any more confusing, when it sends out its confirmation emails?
A reference site states:
Same IP Websites Analysis
The server IP address of Enomsupport.com is 122.10.117.128, we have found 2 websites hosted on this server.
You also from here to view more websites.
Rank
Domain
Primary Traffic
n/a
name-serivce.com
n/a
godaddy-support.com
Funny coincidence! Name-service.com was hosted at the same IP address as Godaddy-Support.com & enomSupport.com, when this record was made.
Also, it said
Server Location: Guangzhou, China
The Registrant is based in New Zealand, but the name servers are in China: f1g1ns1.dnspod.net
Louise says
So, name-serives.com is the authentic enom confirmation domain name?
which is parked and under privacy?
Why is name-services.com listed as the name servers for
account-securities.org
? And don’t click anything if you go there! Looks malware-ridden. Account-securities.org registered November 28th, 2014:
http://whois.domaintools.com/account-securities.org
by Andre Gotteland, at gotteland@europe.com . Gotteland. I gotta land, too.
Who is Europe.com? It is owned by World Media Group, LLC, going by World.com. Registered at Register.com, famous for Web.com hosting site. Here are some domains it offers: accountant.com alumni.com autobody.com calendar.com chemist.com choir.com comic.com confession.com consultant.com couple.com diploma.com dublin.com engineer.com fact.com faq.com fashionstore.com fight.com guaranteed.com instruction.com myself.com journalist.com luckynumber.com partner.com politician.com scientist.comteacher.com wires.com
The finest collection I ever heard of!
So, Andre Gotteland at gotteland@europe.com owns:
Account-Securities.org
which has servers on enom servers:
name-servers.com
yet, it redirects to a site which states:
This website has been reported as unsafe
account-securities.org
We recommend that you do not continue to this website.
Go to my home page instead
This website has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information.
More information
“Personal or financial information.”
Stands to reason, because account-secuities.COM is owned by none other than BAC.com.
But, it looks like a site that will download something maliscious.
It was registered in November, and ICANN has already banned it?
Louise says
Correction: account-services.com is owned by BAC.com
Account-Securities.com
Account-Securities.net
Account-Securities.org
Account-Securities.guru
Account-Securities.co.uk
all registered by Andre Gotteland of the UK at gotteland@europe.com
browser seems to flag .com, .org and .guru as unsafe. account-securities.net and .co.uk don’t resolve for me.
So, Acro.net and you tech experts, how can account-securities.com point to name-servers.com, and yet redirect to the flagged website? They were registered same day, on November 28th, 2014.
Why did my research land on account-securities.com?
Louise says
It was an icloud phishing site, exposed by The Daily Scam dot com. Here is a png of the form it led the user to, if he clicked the link in an email:
http://www.thedailyscam.com/wp-content/uploads/2014/12/7-Apple-account-phishing-site-4.png
so, account-securities.com was registered through enom to phish for apple user ids.
Louise says
Godaddy-Support.com
&
Name-Service.com
hosted on dedicated ip address: 122.10.117.128
a server in Hong Kong
Also, ip address 122.10.117.128 is supposed to be the server for eNomSupport.com.
http://www.statscrop.com/www/enomsupport.com
http://reverseip.domaintools.com/search/?q=122.10.117.128
It is a dedicated server of Pang International
http://whois.domaintools.com/122.10.117.128
Louise says
Godaddy-Support.com
enomsupport.com
name-service.com
very special domains to be hosted on a dedicated ip address.
Louise says
Why Hasn’t Godaddy File UDRP on Phishing Domains:
account-godaddy.com
godaddy-account.com
service-godaddy.com
services-godaddy.com
support-godaddy.com
AND
godaddy-support.com?
The 2nd question is:
Why does the enom confirmation url in its security email
name-servers.com
have to be SO OBSCURE that it resolves to a parked page, and is registered under privacy?
Why?
Why?
Why?
Why?
DaveZ says
Go Daddy will surely deal with those phishing names, albeit how — more so how to do so as cost-efficient and fast as possible — is probably the question they’re also asking themselves. Can the Uniform Rapid Suspension thing handle this issue aside from UDRP?
I also wonder if Go Daddy tried to file a UDRP or so but got bogged down by the holidays in-between. Then again, it’s probably better for them to do something (e.g. file UDRP) and then mention it later rather than the other way around. We’ll see.
Evans Gathaku says
Nice comment by Davez : ”
Go Daddy will surely deal with those phishing names, albeit how — more so how to do so as cost-efficient and fast as possible — is probably the question they’re also asking themselves. Can the Uniform Rapid Suspension thing handle this issue aside from UDRP?
I also wonder if Go Daddy tried to file a UDRP or so but got bogged down by the holidays in-between. Then again, it’s probably better for them to do something (e.g. file UDRP) and then mention it later rather than the other way around. We’ll see.”