IT.COM

GoDaddy WHOIS Verification Email - Beware of Phishing Scam

Spaceship Spaceship
Watch

ImageAuthors

Account Closed (Disallowed)
Impact
466
Please bump this thread to the top in order to warn people.

BEWARE OF THIS PHISHING SCHEME:

Beware of emails ostensibly from "GoDaddy" with titles like this:

ACTION REQUIRED - Reminder to verify the accuracy of Whois data


Despite the GoDaddy logo and graphics, this appears to be a phishing scam.

You will be directed to a GoDaddy clone website on a domain such as this one:

GoDaddyAuthentication.com

You are prompted to log in, and I'm guessing your password will be used later on to steal your domains.

GoDaddyAuthentication.com shows the following in Whois:

Domain Name: GODADDYAUTHENTICATION.COM
Registrar: NAMEBAY
Whois Server: whois.namebay.com
Referral URL: http://www.namebay.com
Name Server: NS1.ISPFR.NET
Name Server: NS2.ISPFR.NET
Status: ok
Updated Date: 04-jan-2014
Creation Date: 04-jan-2014
Expiration Date: 04-jan-2015
godaddyauthentication.com registrar whois
Updated 1 second ago
Domain Name : GODADDYAUTHENTICATION.COM
Created On : 2014-01-04
Expiration Date : 2015-01-04
Status : ACTIVE
Registrant Name : denis Alain
Registrant Street1 : 26 rue auguste blanche
Registrant City : puteaux
Registrant State/Province :
Registrant Postal Code : 92800
Registrant Country : FR
Admin Name : NUXIT
Admin Street1 : 400 avenue Roumanille
Admin City : Sophia Antipolis
Admin State/Province : FR
Admin Postal Code : 06903
Admin Country : FR
Admin Phone : +33.899563600
Admin Email : [email protected]
Tech Name : NUXIT
Tech Street1 : 400 avenue Roumanille
Tech City : Sophia Antipolis
Tech State/Province : FR
Tech Postal Code : 06903
Tech Country : FR
Tech Phone : +33.899563600
Tech Email : [email protected]
Billing Name : NUXIT
Billing Street1 : 400 avenue Roumanille
Billing City : Sophia Antipolis
Billing State/Province : FR
Billing Postal Code : 06903
Billing Country : FR
Billing Phone : +33.899563600
Billing Email : [email protected]
Name Server : NS1.ISPFR.NET
Name Server : NS2.ISPFR.NET
Registrar Name : Namebay
 
6
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
That can be easily done, especially if they are targetting less people but with lots of names.

Normally, these emails are sent to many people by using email lists
It takes more time and knowledge to make custom emails per user, and it hasn't been done till now.
Just curious, check the email you received and see how is it.
 
0
•••
This one has the generic dear customer as you said, but adding the correct name is just a matter of adding a new column to the csv before importing.
Next time they may be smarter...
The best way is to verify the url of the website when we are already there, because even an email link can be forged.
 
0
•••
The real verification email from Go Daddy does NOT ask you to "LOG IN TO CONFIRM"

You simply click the link in the email and then close your browser. Never log in to a site from a link in an email.

Another way to verify that you're dealing with Go Daddy is to add "https://" in front of the URL instead of "http://" like this:

attachment.php
 

Attachments

  • godaddy-ssl.png
    godaddy-ssl.png
    180.2 KB · Views: 158
0
•••
here is a general tip as well given we are talking about security. The email listed in your whois should not be the email belonging to your account admin. This wont prevent you from falling for a phishing scam but help with general hacking attempts.
 
0
•••
*

I regged one new domain last night and one today.

I did NOT receive the verification email for either one.

I'm wondering if GD decided to scrap that verification plan for now.

The one I regged last night is fully operational now.

If you have gmail, there is a way to check the original path (to and from) for your emails. There is drop down menu next to the sender address. Click on "Show Original," which will open a new window. It looks like a bunch of code (which it is, LOL), but you can suss out the to and from fields.

*
 
0
•••
Thanks for the info :) I wasn't aware that GoDaddy does this now.

If they don't ask you to login, and you haven't verified your email this year, then it's correct. Just make sure the website is really Godaddy.com

You only have to verify your email address once.

This just started in 2014 :(
http://support.godaddy.com/help/article/8948/verifying-contact-information-for-icann-validation

We teach people that it isn't safe to click on email links and now they make this mandatory or the domain will be suspended?


I regged 2 last night (as mentioned earlier). They are active and in my account. I can access them. And a confirmation email never came with either, other than the standard 'Here is your order' one. GoDaddy's always been strange.

*

I regged one new domain last night and one today.

I did NOT receive the verification email for either one.

I'm wondering if GD decided to scrap that verification plan for now.

The one I regged last night is fully operational now.

If you have gmail, there is a way to check the original path (to and from) for your emails. There is drop down menu next to the sender address. Click on "Show Original," which will open a new window. It looks like a bunch of code (which it is, LOL), but you can suss out the to and from fields.

*
 
1
•••
I regged one new domain last night and one today.

I did NOT receive the verification email for either one.

It took about 48 hours before I received mine. However, the emails might still be in a testing phase where only a portion of Go Daddy customers receive them for the time being.

If you have gmail, there is a way to check the original path (to and from) for your emails. There is drop down menu next to the sender address. Click on "Show Original," which will open a new window. It looks like a bunch of code (which it is, LOL), but you can suss out the to and from fields.

Warning: The "From:" field in those headers can be set by anyone to anything they want, even [email protected]. Never trust an e-mail just because of whom it appears to be from.
 
Last edited:
1
•••
FWIW, I did not see the button I was supposed to click in the legitimate godaddy emails until I changed my email program to show messages in html (instead of plain text).
 
0
•••
I wrote this on another thread, but readers can benefit from it here too:

I highly recommend that you enable DTVS at Go Daddy to keep your domains safe.

Go Daddy offers its customers with high-valued domain assets a service called Domain Transfer Validation Service (DTVS), which requires that Go Daddy call your phone to verify every domain transfer with you before it can complete. If a domain transfer is not vocally approved by you, the transfer will fail. They do not accept inbound calls from your phone number to verify the domain transfer, since those can be spoofed. They always call you directly to verify.

It's incredibly secure and no one can steal your domains even if they have access to your Go Daddy account and email address.

Dynadot has a couple options for additional security that I also recommend:
  • Dynadot Token Authentication for iPhone/Android: Requires that you generate and provide a unique code using an app on your phone each time you want to unlock any domain names in your account. The code changes every few minutes.
  • SMS Authentication: Sends you a text message with a random code, unique each time, to your mobile phone that is required to unlock any domain names in your account.

Other registrars have similar security measures, but these are the ones that help me sleep better at night.
 
0
•••
Have y'all read this? Change in ICANN policies.
 
0
•••
0
•••
If you're aware that these phishing scams are out there and looking for a secure way to handle things, there's a method that sounds very safe. It was posted at DomainGang. Search for "GoDaddy phishing DomainGang" and you'll find a description of what to do.

I haven't tried it, but it looks like the most robust method to deal with email verifications at GoDaddy now that ICANN has mandated these changes.
 
0
•••
0
•••
Beware! GodaddyAdministration.com

I just got an email asking me to click this link at godaddyadministration.com and confirm my email.
ACTION REQUIRED - OpenID - Email validation

Dear Valued GoDaddy Customer,

This automated message is a reminder to help you keep the contact data associated with your domain registration up-to-date. We have the following information on record (Email), about your domain(s) name (detailed instructions here).

Email: [email protected]

(OpenID Authentication Required)

If this Change of Account is not complete within 10 days, the transaction of Change of Account will expire.

Anyone get this one yet?

I just checked the whois and the return link was just regged so BEWARE!

Domain Name : GODADDYADMINISTRATION.COM
Created On : 2014-01-05
Expiration Date : 2015-01-05
Status : ACTIVE
Registrant Name : Bartels Anke
Registrant Street1 : 19 RUE LA BLANCHE
Registrant City : puteaux
Registrant State/Province :
Registrant Postal Code : 92800
Registrant Country : FR
Admin Name : NUXIT
Admin Street1 : 400 avenue Roumanille
Admin City : Sophia Antipolis
Admin State/Province : FR
Admin Postal Code : 06903
Admin Country : FR
Admin Phone : +33.899563600
Admin Email : [email protected]
Tech Name : NUXIT
Tech Street1 : 400 avenue Roumanille
Tech City : Sophia Antipolis
Tech State/Province : FR
Tech Postal Code : 06903
Tech Country : FR
Tech Phone : +33.899563600
Tech Email : [email protected]
Billing Name : NUXIT
Billing Street1 : 400 avenue Roumanille
Billing City : Sophia Antipolis
Billing State/Province : FR
Billing Postal Code : 06903
Billing Country : FR
Billing Phone : +33.899563600
Billing Email : [email protected]
Name Server : DNS2.E-CLICKING.IN
Name Server : DNS1.E-CLICKING.IN
Registrar Name : Namebay

Registrar: NAMEBAY
Whois Server: whois.namebay.com
Creation Date: 05-JAN-2014
Updated Date: 05-JAN-2014
Expiration Date: 05-JAN-2015

Nameserver: DNS1.E-CLICKING.IN
Nameserver: DNS2.E-CLICKING.IN
 
Last edited:
0
•••
I've received it too, this morning! It is exactly the same! the log in to confirm button, the openID thing.
I've already received the legit Godaddy "Reminder: Please verify your email address" email on the 2nd of January. It had a red banner and an verify your email address( not Log in)
 
0
•••
They're still at it; it appears to be the same person or maybe a couple buddies. I just received this email:

Subject line:
ACTION REQUIRED - Whois - OpenID Required
Email content:
Dear Valued GoDaddy Customer,

Email: You must confirm your email address in order for it to be fully associated with your domain name.

(OpenID Authentication Required)

If this Change of Account is not complete within 10 days, the transaction of Change of Account will expire.

LOG IN TO CONFIRM
If you feel you are receiving this email in error, please immediately contact undo @godaddy.com.

Here is a pic of the email, where I have cleverly indicated the offending clues and cunningly placed a red X to show not to do it:

attachment.php


How you know it's fake:
- godaddy doesn't use UpenID in their verification email
- godaddy doesn't require you to log in to your account to verify. All you do is click a 'verify' button, without logging in, and it's finished.
- and of course the big one: the 'log in to confirm' button actually directs you to a fake log in page that is hosted by this website:
SecureAssistances (dawt) com

That domain name whois is:

Domain Name : SECUREASSISTANCES.COM
Created On : 2014-02-26
Expiration Date : 2015-02-26
Status : ACTIVE
Registrant Name : Edward Guefel
Registrant Street1 : 21 RUE LA TOUR
Registrant City : mareil-sur-loir
Registrant State/Province :
Registrant Postal Code : 72200
Registrant Country : FR
Admin Name : NUXIT
Admin Street1 : 400 avenue Roumanille
Admin City : Sophia Antipolis
Admin State/Province : FRANCE
Admin Postal Code : 06903
Admin Country : FR
Admin Phone : +33.486576005
Admin Email : [email protected]
Tech Name : NUXIT
Tech Street1 : 400 avenue Roumanille
Tech City : Sophia Antipolis
Tech State/Province : FRANCE
Tech Postal Code : 06903
Tech Country : FR
Tech Phone : +33.486576005
Tech Email : [email protected]
Billing Name : NUXIT
Billing Street1 : 400 avenue Roumanille
Billing City : Sophia Antipolis
Billing State/Province : FRANCE
Billing Postal Code : 06903
Billing Country : FR
Billing Phone : +33.486576005
Billing Email : [email protected]
Name Server : NS1.ISPFR.NET
Name Server : NS2.ISPFR.NET
Registrar Name : Namebay

This whois is almost identical, with a few details changed, to the whois Lennco posted for the domain godaddyadministration.com. The two registrant cities, though different in name, are close together in the north of France, so I suspect the scammer is falsifying several whois records for different domains. Both domains are regged at Namebay.com... interestingly, Namebay.com registrant is in Monaco, a small country surrounded by France (except on the water side of course)...

Hmm....

Just a note: to the members in this thread who contacted Godaddy and Namebay about this... did you get any response?


*Edit: actually their timing was perfect: I won a couple expiring domains at godaddy auctions a week ago and was expecting them to drop into my account today. So this verification email hoodwinked me for a moment, until I remembered about this phishing scam.
 

Attachments

  • GodaddyScam.jpg
    GodaddyScam.jpg
    67.5 KB · Views: 66
Last edited:
0
•••
*Edit: actually their timing was perfect: I won a couple expiring domains at godaddy auctions a week ago and was expecting them to drop into my account today. So this verification email hoodwinked me for a moment, until I remembered about this phishing scam.


did their emails mention the domain names?


(anywhere: in the subject, email address, link, or body of email)
 
0
•••
They're still at it; it appears to be the same person or maybe a couple buddies. I just received this email:

Subject line:

Email content:


Here is a pic of the email, where I have cleverly indicated the offending clues and cunningly placed a red X to show not to do it:

attachment.php


How you know it's fake:
- godaddy doesn't use UpenID in their verification email
- godaddy doesn't require you to log in to your account to verify. All you do is click a 'verify' button, without logging in, and it's finished.
- and of course the big one: the 'log in to confirm' button actually directs you to a fake log in page that is hosted by this website:
SecureAssistances (dawt) com

That domain name whois is:



This whois is almost identical, with a few details changed, to the whois Lennco posted for the domain godaddyadministration.com. The two registrant cities, though different in name, are close together in the north of France, so I suspect the scammer is falsifying several whois records for different domains. Both domains are regged at Namebay.com... interestingly, Namebay.com registrant is in Monaco, a small country surrounded by France (except on the water side of course)...

Hmm....

Just a note: to the members in this thread who contacted Godaddy and Namebay about this... did you get any response?


*Edit: actually their timing was perfect: I won a couple expiring domains at godaddy auctions a week ago and was expecting them to drop into my account today. So this verification email hoodwinked me for a moment, until I remembered about this phishing scam.
make sure to alert to host and the registrar
 
0
•••
did their emails mention the domain names?


(anywhere: in the subject, email address, link, or body of email)

Nope.

---------- Post added at 02:10 PM ---------- Previous post was at 02:07 PM ----------

make sure to alert to host and the registrar

Thanks; that's why I asked others who had done so if they had any response. If they emailed and no one cared or responded, I won't bother. If they got a response and something was done, I will bother.
 
0
•••
*

The real verification email does not contain the domain name(s), either.

*
 
0
•••
Back