• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Targeted Phishing Against GoDaddy Customers

December 11, 2014Marc Kranat

FacebookTwitterSubscribe

I do get a lot of phishing emails, we all do, but as security professionals we tend to recognize them immediately. Either the syntax is wrong, or it’s missing a name. When you get them from a bank you don’t even deal with that’s a pretty good clue.

However, when the phishing is well done and targeted, the game changes. Today, I received one that was well targeted. It uses my email registered at GoDaddy and my real name. And their guess that I have too many folders is a good one as I do have many test and demo sites.

If this wasn’t bad enough, our users are also reporting that they are receiving similar targeted emails. The emails are all very well written and warn the user about a large number of directories being used on their sites and a possible suspension of their account. This is what the email looks like:

godaddy-phishing

We heard reports of this type of targeted phishing a few months ago, but it seems to be picking up steam lately. Webmasters have to be extra careful not to be fooled by this. This is the full copy of the email:

Dear Valued GoDaddy Customer RealName.

Your account contains more than 5271 directories and may pose a potential performance risk to the server. Please reduce the number of directories for your account to prevent possible account deactivation.

In order to prevent your account from being locked out we recommend that you create special directory.

Or use the link below:

https://mya.godaddy.com/tmp.aspx?doit=6123455

However, when clicked (or moused over), the link actually redirects to a secondary phishing page located at httx://texlavka.ru/includes/data/ourrueatqz.htm asking for your GoDaddy user and password:

godaddy-phishing-page

Are you a GoDaddy customer? Did you receive a similar email with your real name? If you ever need to login to your hosting provider, make sure you go straight to it and do not follow email links.

FacebookTwitterSubscribe

Categories: Web Pros, Website SecurityTags: Phishing

About Marc Kranat

CISM CISSP
Marc Kranat is Sucuri’s Enterprise Firewall Supervisor who joined the company in 2014. Marc’s main responsibilities include providing support to high-value clients. His professional experience covers over 20 years in cyber and IS security and project management. When Marc isn’t checking firewall logs and configurations, you might find him acting as an assistant to his photographer wife, or wranging his Husky. Connect with him on Twitter.

Reader Interactions

Comments

  1. Don'tPhishMeDude

    December 11, 2014

    Yep I just got one too. Didn’t fall for it and reported it to GoDaddy. I decided while I had GoDaddy on the phone to go ahead and put all my domain registrations behind their Whois proxy. They gave me a good deal on it.

  2. Canuck

    December 12, 2014

    Got one too but Thunderbird flagged it as a scam before I even glanced at it. That and I’m no longer using their services!

  3. NotFallingForIt

    December 12, 2014

    I received one a few months ago. I had just setup two domains, so I knew there was no way I could have that many files on my FTP. 1st red flag. By the time I got to fully investigating, the redirect link had been taken down and clicking it took me to a non working page.

  4. Henrik Oldcorn

    December 22, 2014

    And their website…it’s not even HTTPS!

  5. Slevi

    March 8, 2015

    Just received one from donotreply@mails.godaddy.com saying: “An unknown user was
    trying to login your GoDaddy account with an incorrect password on Tuesday 3
    March”, website goes to: increasepitchingspeed … I actually tried to report this to GoDaddy and their reponse was “domain not hosted by us”… I think I’ll be moving my domains elsewhere (where they actually give a #$%#$)

    • Henrik Schack

      April 21, 2015

      Godaddy could prevent most of that sort of emails from ever arriving if they changed their DMARC policy from none to reject.

  6. MK

    June 13, 2015

    Just got a nearly identical notice on my Bluehost account, linking me to site that looked identical to Bluehost but had an Russian url.

    • Ninja CMO

      June 25, 2015

      Ditto here

  7. HillofBeans

    October 14, 2015

    Just got this today, but for my Hostmonster account, not Godaddy.

    Got to say, it was pretty convincing. I clicked on the link but fortunately it didn’t generate the fake login-page.

    • QiDelephant

      November 17, 2015

      Me too. Clicked and something didn’t seem right. So I went back to the email and noticed the link went to something other than Hostmonster. Turned out the bare link is a fake Subway site (restaurant) with Russian on it??

  8. Elnonio

    November 22, 2015

    Same for Hostmonster. Was a little puzzled since my website hasn’t grown all that much in terms of directories. At first, I thought perhaps my account was compromised and someone was leaching off my domain.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.