security Cybersecurity incident at GoDaddy and Escrow.com

[vccground]

A spear-phishing attack this week hooked a customer service employee at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned. The incident gave the phisher the ability to view and modify key customer records, access that was used to change domain settings for a half-dozen GoDaddy customers, including transaction brokering site escrow.com.

Read it here:

https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/

 

[Peak.Domains]

After having the distinct pleasure of dealing with GoDaddy's customer support on several very unfortunate occasions, I'm honestly surprised this doesn't happen several times per day.

 

[Samer]

fix 60 lock, doesnt help security, it kills liquidity

Maybe this is karma...

Samer

 

[Josytal]

It could’ve happened to just any other registrar, not only GD. Anything coded can be decoded. No one is insured.

Measures should be implemented covering all aspects:
technical; organizational; legal.

In most cases of security breaches, the organizational factor has proved time and again to be the weakest link – like employee clicking link-bait to phishing site out of stupid curiosity.

 

[ken.colvin]

It's a matter of training. I've had my credit cards hijacked twice by thieves contacting a customer service agent with my birth date, changing the contact info (email and phone) and then running up balances all over the country. Another one changed my Best Buy account info and bought several hundred dollars worth of electronics by going through a customer service agent. I can't believe its that easy. Unfortunately, I know that some registrars use your birth date for verification. Be careful who you give it to!

 

[DomainRecap]

Here's the question you need to ask any company that holds your valuables:

What are your procedures when someone calls up and says "I forgot (or lost) all my PINs, codes, and passwords. Help me!"

Most just ask for something easily obtainable by scammers like a customer's address, phone number, birth date, etc., thus rendering all these incredible "security mechanisms" moot.