I do get a lot of phishing emails, we all do, but as security professionals we tend to recognize them immediately. Either the syntax is wrong, or it’s missing a name. When you get them from a bank you don’t even deal with that’s a pretty good clue.
However, when the phishing is well done and targeted, the game changes. Today, I received one that was well targeted. It uses my email registered at GoDaddy and my real name. And their guess that I have too many folders is a good one as I do have many test and demo sites.
If this wasn’t bad enough, our users are also reporting that they are receiving similar targeted emails. The emails are all very well written and warn the user about a large number of directories being used on their sites and a possible suspension of their account. This is what the email looks like:
We heard reports of this type of targeted phishing a few months ago, but it seems to be picking up steam lately. Webmasters have to be extra careful not to be fooled by this. This is the full copy of the email:
Dear Valued GoDaddy Customer RealName.
Your account contains more than 5271 directories and may pose a potential performance risk to the server. Please reduce the number of directories for your account to prevent possible account deactivation.
In order to prevent your account from being locked out we recommend that you create special directory.
Or use the link below:
https://mya.godaddy.com/tmp.aspx?doit=6123455
However, when clicked (or moused over), the link actually redirects to a secondary phishing page located at httx://texlavka.ru/includes/data/ourrueatqz.htm asking for your GoDaddy user and password:
Are you a GoDaddy customer? Did you receive a similar email with your real name? If you ever need to login to your hosting provider, make sure you go straight to it and do not follow email links.
David Dede
Rianna MacLeod
Cesar Anjos![Massive ois[.]is Black Hat Redirect Malware Campaign Targets WordPress Sites](https://blog.sucuri.net/wp-content/uploads/2022/11/BlogPost_Feature-Image_1490x700_PHP-Login-Stealer-390x183.png)
Ben Martin
11 comments
Yep I just got one too. Didn’t fall for it and reported it to GoDaddy. I decided while I had GoDaddy on the phone to go ahead and put all my domain registrations behind their Whois proxy. They gave me a good deal on it.
Got one too but Thunderbird flagged it as a scam before I even glanced at it. That and I’m no longer using their services!
I received one a few months ago. I had just setup two domains, so I knew there was no way I could have that many files on my FTP. 1st red flag. By the time I got to fully investigating, the redirect link had been taken down and clicking it took me to a non working page.
And their website…it’s not even HTTPS!
Just received one from donotreply@mails.godaddy.com saying: “An unknown user was
trying to login your GoDaddy account with an incorrect password on Tuesday 3
March”, website goes to: increasepitchingspeed … I actually tried to report this to GoDaddy and their reponse was “domain not hosted by us”… I think I’ll be moving my domains elsewhere (where they actually give a #$%#$)
Godaddy could prevent most of that sort of emails from ever arriving if they changed their DMARC policy from none to reject.
Just got a nearly identical notice on my Bluehost account, linking me to site that looked identical to Bluehost but had an Russian url.
Ditto here
Just got this today, but for my Hostmonster account, not Godaddy.
Got to say, it was pretty convincing. I clicked on the link but fortunately it didn’t generate the fake login-page.
Me too. Clicked and something didn’t seem right. So I went back to the email and noticed the link went to something other than Hostmonster. Turned out the bare link is a fake Subway site (restaurant) with Russian on it??
Same for Hostmonster. Was a little puzzled since my website hasn’t grown all that much in terms of directories. At first, I thought perhaps my account was compromised and someone was leaching off my domain.
Comments are closed.